GOU Manual

GOVERNMENT OF UGANDA INTERNAL AUDIT & INSPECTION MANUAL

i

Acknowledgements ................................................................ Error! Bookmark not defined. Article 1 ................................................................................................................................. 4 Purpose and Contents of the Manual .................................................................................... 4

1.1 Responsibility for the Manual ................................................................................. 4 1.2 Legal framework .................................................................................................... 4

Article 2 ................................................................................................................................. 6 General Definition of Internal Auditing ................................................................................... 6

2.1 Concept of Internal Auditing................................................................................... 6 2.2 Objectives of Internal Audit .................................................................................... 6 2.3 Tasks of an Internal Auditor/Inspector ................................................................... 7 2.4 Ethics and Professional Conduct of an Internal Auditor/Inspector .......................... 7

Article 3 ................................................................................................................................. 8 Internal Audit Service Delivery Process................................................................................. 8

3.1 Objectives of an effective internal audit methodology......................................... 8 3.2 Stages in the Internal Audit Methodology ........................................................... 8 3.3 Establishing the Audit Objectives and Auditee Expectations .............................. 8 3.4 Preparing for the Expectations Meeting ............................................................. 9 3.5 Developing Audit Objectives and Establishing Auditee Expectations ................. 9 3.6 Developing the Risk Assessment Criteria ........................................................ 10 3.7 Communicating Overall Audit Objectives Expectations Results to Auditees ..... 11 3.8 Risk Assessment ............................................................................................. 11 3.9 Understanding the Auditee’s Business ............................................................. 13 3.10 Assessing the Control Environment ................................................................. 14 3.11 Developing and Confirming Your Understanding of the Processes .................. 14 3.12 Linking Internal Audit Focus to Key and Critical Processes .............................. 15 3.13 Identifying Risks and Related High-Level Controls ........................................... 16 3.14 Assessing Risks............................................................................................... 17 3.15 Reporting and Agreeing on the Risk Assessment ............................................ 18 3.16 Audit Plan ........................................................................................................ 18 3.17 Major Processes .............................................................................................. 19 3.18 Coordinating the Audit Plan ............................................................................. 21 3.19 Agreeing to the Audit Plan ............................................................................... 21

Article 4 ............................................................................................................................... 22 Audit Execution ................................................................................................................... 22

4.1 Designing Tests of Control................................................................................... 22 4.2 Pre-Audit Work .................................................................................................... 23 4.3 Analytical Review ................................................................................................ 23 4.4 Carrying Out Tests of Detail and Substantive Procedures ................................... 25 4.5 Issues for Management ’s Attention ...................................................................... 25 4.6 Concluding the Audit and Report ......................................................................... 27 4.7 Reviewing Working Papers .................................................................................. 28 4.8 Communicating Results ....................................................................................... 33

Article 5 ............................................................................................................................... 34 Working Documentation of an Internal Auditor/Inspector ................................................. 34 5.1 Working Documentation ................................................................................... 34 5.2 Principles for the Compilation of Working Documents ...................................... 35 5.3 Principles for the Preparation of Working Lists ................................................. 36


ii

Article 6 ............................................................................................................................... 39 Financial Audits ............................................................................................................... 39 6.1 Introduction ...................................................................................................... 39 6.2 Definition of Financial Audit.............................................................................. 39 6.3 Objective of a Financial Audit........................................................................... 39 6.4 Financial Audit Procedures, Preparations and Execution ................................. 40 6.5 Review of Financial Processes ........................................................................ 42

Article 7 ............................................................................................................................... 56 Audit Inspection .............................................................................................................. 56 7.1 Introduction ...................................................................................................... 56 7.2 PAF Inspection Procedures – Overview ........................................................... 56 7.3 Audit Inspection of Missions Abroad ................................................................ 61 7.4 Compliance & Inspection Checklist .................................................................. 66 7.5 Annual Accounts .............................................................................................. 85 7.6 Inspection of Computerised Accounting Systems ............................................ 85

Article 8 ............................................................................................................................... 87 Performance Audits ......................................................................................................... 87 8.1 Introduction ...................................................................................................... 87 8.2 Definitions ........................................................................................................ 87 8.3 Questions Answered by a Performance Audit .................................................. 87 8.4 Concepts in Performance Auditing ................................................................... 88 8.5 Approaches to Performance Auditing ............................................................... 89 8.6 Performance Auditing and the International Auditing Standards ...................... 90 8.7 Performance Audit Methodology ...................................................................... 90 8.8 Understand the entity’s activities ...................................................................... 94 8.9 Deciding on the main elements of the study ..................................................... 94 8.10 Analysing the main study question into sub-questions ..................................... 95 8.11 Identifying criteria ............................................................................................. 95 8.12 Identifying the Audit Evidence That Answers the Study Questions................... 96 8.13 Selecting the Methods of Interpreting Audit Evidence ...................................... 99 8.14 The Preliminary Study Report .......................................................................... 99 8.15 Summarising, Analysing and Interpreting Audit Evidence .............................. 100 8.16 Documentation............................................................................................... 101 8.17 Reviewing the Evidence ................................................................................. 101 8.18 Reporting ....................................................................................................... 102 8.19 Criteria Used to Assess Performance ............................................................ 102

Article 9 ............................................................................................................................. 103 Systems Audit ............................................................................................................... 103 9.1 Manual Purpose and Contents ....................................................................... 103 9.2 Basic Terminology ......................................................................................... 103 9.3 System Audit General Description ................................................................. 104 9.4 Assessment Effectiveness of Internal Control System ................................... 106 9.5 Audit of Operations ........................................................................................ 111

Article 10 ........................................................................................................................... 114 Information Technology Audit ........................................................................................ 114 10.0 Introduction .................................................................................................... 114 10.1 Understanding IT Controls ............................................................................. 115 10.2 Internal Auditing Role in relation to IT ............................................................ 121 10.3 Common IT Process Controls ........................................................................ 121 10.4 Risk Considerations in Determining the Adequacy of IT Controls................... 125 10.5 Control Characteristics to Consider................................................................ 125


iii

10.6 The IT Audit Procedures ................................................................................ 125 10.7 Planning an IT Audit ...................................................................................... 126 10.8 Risk Scoring System ...................................................................................... 128 10.9 Application Audit Programme ......................................................................... 128 10.10 Other Issues To consider In the Audit Programme ......................................... 132 10.11 Audit Methodology and Best Practices: Summary .......................................... 133 10.12 Audit of the Integrated Financial Management System (IFMS) ...................... 136 10.13 Review of IFMS General Controls ................................................................. 143 10.14 Computer-Assisted Audit Techniques (CAATS) ............................................. 144 10.15 Auditor/Inspector Knowledge Considerations ................................................. 144

Article 11 ........................................................................................................................... 146 Fraud and Irregularities ................................................................................................. 146 11.0 Introduction .................................................................................................... 146 11.1 Fraud Red Flags ............................................................................................ 146 11.2 Understanding the Business and the Risk of Fraud & Irregularities in ............ 147 Each Business Area/Process ......................................................................................... 147 11.3 Assessing the Impact of Each Possible Fraud & Irregularities ........................ 148 Based on its Severity and Potential Frequency .............................................................. 148 11.4 The Internal Auditor’s/Inspector’s Role .......................................................... 149 11.5 Conduct of the Investigation........................................................................... 150 11.6 Interviewing ................................................................................................... 151 11.7 Interviewing Techniques for Fraud Investigations .......................................... 152 11.8 Fact Finding Interviews .................................................................................. 152 11.9 Interviews with Suspect(s) ............................................................................. 153 11.10 Interview Notes .............................................................................................. 157 11.11 Voluntary Statements under Caution ............................................................. 159 11.12 Other Relevant Areas .................................................................................... 160 11.13 Components of an Appropriate Anti-Fraud and Irregularities Culture ............. 162

Appendix 1 ESAAG Guidelines Appendix 2 International Standards for the Professional Practice of IA Appendix 3 Fraud Prevention Check up by the Association of Certified Fraud Examiners


Article 1 Purpose and Contents of the Manual

This manual is a handbook for use by the Government of Uganda Internal Audit staff, departments, agencies, e.t.c. It is tailored to meet the demands of Internal Audit of adequately discharging its statutory and professional responsibilities towards those being audited and the people of Uganda.

The manual provides the tools for Internal Audit Service staff to carry out the planning, monitoring, reporting and execution of internal audit. It offers a number of different audit approaches, along with the planning tools to decide which approach best fits the local circumstances.

This manual should be considered as a working document, subject to amendments as new regulations, rules and working practices are introduced. It is a property of the Government of Uganda.

1.1 Responsibility for the Manual

§ The Permanent Secretary / Secretary to the Treasury, Accountant General and Commissioner for Inspectorate and Internal Audit have the overall responsibility for ensuring compliance and for updating the manual.

§ All suggestions for amendments, additions and improvements to the manual should be directed to the Permanent Secretary / Secretary to the Treasury

This manual shall be available to all audit personnel and used as guidance in the conduct of all Internal Audit work within Central Government Ministries, Departments and Agencies.

1.2 Legal framework

The Internal Auditing Manual makes use of the following laws, regulations, standards, and directives though direct reference to them is encouraged:

r Public Finance and Accountability Act, 2003 r Public Finance and Accountability Regulations, 2003; r International Standards for the Professional Practice of Internal Auditing, issued

by (IIA); r International Standards of Auditing issued by the International Standards and

Assurance Services Board of the International Federation of Accountants. r Internal Audit Charter, issued by the Ministry of Finance, Planning and Economic

Development; r Code of Ethics for Internal Auditors/Inspectors, issued by the Ministry of Finance,

Planning and Economic Development; r Internal Audit Guidelines set by the East and Southern African Association of

Accountants General (ESAAG) r The Treasury Accounting Instructions 2003, and r Circulars issued from time to time by the Permanent Secretary, Accountant

General e.t.c


r Other Standards of other professional bodies like the Association of Certified Fraud Examiners, the Information Systems Auditing Control Association and others


Article 2 General Definition of Internal Auditing

2.1 Concept of Internal Auditing The Institute of Internal Auditors/Inspectors defines Internal Auditing as "an independent objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."

“Internal Control” means a set of systems operated by an organisation to ensure that financial and other records are reliable and complete. The objective of internal control system is to ensure that management adhere to policies and procedures for orderly and efficient conduct of the business, proper recording and safeguarding of assets and resources.

2.2 Objectives of Internal Audit

The Internal Audit unit shall appraise the soundness and application of accounting, financial and operational controls and in particular shall –

r Review and report on proper control over the receipt, custody and utilisation of all

financial resources of the unit; r Review and report on conformity with financial and operational procedures; r Review and report on the correct classification; r Review and report on the reliability and integrity of financial and operational data,

so that information provided allows for the preparation of accurate financial statements and other reports for the information of the unit and the general public as required by legislation;

r Review and report on the systems in place used to safeguard assets, and as appropriate, the verification of the existence of such assets;

r Review and report on operations or programs to ascertain whether results are consistent with established objectives and goals;

r Review and report on the adequacy of action by management in response to internal audit reports;

r Review and report on the adequacy of controls built into computerised systems in place within the unit;

r Respond to ad hoc requests for audit assistance or advice as may be requested by the Accounting Officer or the Heads of Departments of a unit;

r Check and report shortcomings in connection with the accounts, finances and related operations of the Ministry, Department or Agency;

r Be alert to opportunities, such as control weaknesses that could allow fraud and where fraud is suspected the appropriate authorities within the department will be informed.


2.3 Tasks of an Internal Auditor/Inspector

r Analyse the activities of the audited organisation periodically, to monitor the management of these activities, and to recommend adequate measures to improve the auditee‘s performance;

r Verify the reliability and suitability of the information system; r Ascertain whether the entities policies are implemented correctly; r Monitor and revise the performance of financial management at all levels of

management; r Inform the management of any irregularity or anomaly revealed and to

recommend appropriate measures for their elimination; r Assess the organisation's resources and ensure that all resources (human,

material, and financial) are utilised appropriately so that the best possible results are achieved;

r Follow-up on whether the recommendations by the internal auditor/inspector have been implemented.

2.4 Ethics and Professional Conduct of an Internal Auditor/Inspector Professionally and ethically, the internal auditor/inspector should; r Be objective in all dealings r Behave with integrity and honesty. r Carry out their work with due skill and care r Ensure that he keeps all information learnt /got confidential.


Article 3

Internal Audit Service Delivery Process 3.1 Objectives of an effective internal audit methodology

• Align the internal audit resources with the organisation objectives • Deliver value to the organisation. • Leverage on internal knowledge to efficiently identify and appropriately assess

risks • Drive efficiencies throughout the service delivery process

3.2 Stages in the Internal Audit Methodology

• Establish the Audit Objectives and Audi tee Expectations • Undertake Enterprise Risk Assessments • Audit Plan • Execution • Communicate Results

3.3 Establishing the Audit Objectives and Auditee Expectations

Auditors/Inspectors develop a mutual understanding of the scope of their internal audit services among the executive management and the Audit Committee. Based on that understanding and auditor’s/inspector’s perception of the work needed, the internal auditor/inspector will determine the objectives of the audit (i.e., intended audit accomplishments). Objectives will be in enough detail to guide the audit program development. This understanding helps in determining the criteria for assessing the related risks, and the value to be delivered through the provision of internal audit services Auditors/Inspectors also gain an understanding of the relationship protocols, management’s views on audit coverage and cycling, and other information critical to the success of the engagement.

Importance of this step

It helps the Internal Auditor/inspector to: • Determine the auditees’s expectations and establish relationship objectives and

protocols • Gain a high-level understanding of the auditee’s organisations objectives and

associated critical success factors • Understand the internal audit focus • Determine the benefits the auditee wants to receive from their internal audit

services and establish the criteria for measuring and communicating the results of our service

• Develop the Risk Assessment Criteria • Obtain sponsorship commitment for their audit process


Steps in establishing audit objectives and auditee expectations a) Arrange an Auditees’ Expectations Meeting. b) Develop the Audit Objectives and Auditee Expectations. c) Develop the Risk Assessment Criteria. d) Communicate Audit Objectives and Expectations Results to auditees

3.4 Preparing for the Expectations Meeting

• Identify the internal audit team and the auditee liaison person • Discuss and agree the role of the auditees liaison, including identifying available

dates and location for the meeting • Obtain, review, and analyze background information by obtaining a copy of the

relevant legislation (laws, directives, and internal regulations), guidelines, organisational chart, definition of the posts, delegation of powers, etc.

• Perform a preliminary review of the accounting environment, the chart of accounts, the computer systems (the safety and storage of data) to ascertain the reliability and regularity of accounting and financial data:

• Assign roles and responsibilities among the internal audit team. • Confirm attendees and mail correspondence to auditee participants

Information that should be documented in the working papers

At this stage, the following information should be maintained in our working papers:

• Background information obtained about auditee or organisation • Institution’s organization chart • Institution’s strategic plan • Correspondence sent to auditee participants

3.5 Developing Audit Objectives and Establishing Auditee Expectations

Expectations meetings should periodically be conducted with the organization’s key decision makers to discuss and agree upon the engagement ’s relationship objectives and protocols. Issues to be examined in the meeting 1. Management’s strategic objectives 2. Desired internal audit focus and value criteria 3. Risk coverage 4. Strategic objectives 5. Internal audit focus 6. Critical and major processes of the organization 7. Organizational structure and alignment with processes 8. Audit coverage expectations 9. Relationship protocols 10. Role of the internal audit liaison 11. Distribution and format of audit reports 12. Measurement and communication of value 13. Receipt of feedback on internal audit services 14. Overall Audit Objectives


Information to be documented in the working papers • Auditee’s strategic objectives • Agreed-upon internal audit focus • Role of the internal audit liaison • All agreed-upon engagement protocols

3.6 Developing the Risk Assessment Criteria This process consists of the following steps:

• Determine the assessment ratings to be used for the auditee. The ratings can be High, Moderate or Low.

• Determine the risk factors against which to assess organizational risks. The factors could be determined by asking executive management questions such as: “With respect to the agreed-upon business objectives, at a high level, how would the existence of a risk manifest itself, e.g., financial cost/lost opportunity, reputation damage?”

• Consider both the likelihood and the impact of the risk. • Determine and agree upon the specific characteristics of the likelihood and impact

of a risk. • Analyze and detail the respective impacts that would fall within the high, moderate

or low categories. • Where appropriate repeat this analysis for likelihood, i.e., how could the likelihood

of the risk be measured and indicate this likelihood within the high, moderate or low scale.

• Document the characteristics in a table form.


Example of Risk Assessment Criteria

Risk Factor

High Moderate Low

Financial Impact

Adverse impact on actual revenues or actual costs > shs50m External audit qualification on the report and accounts

Adverse impact on actual revenues or actual costs of shs.10m – shs.50m External audit management letter contains significant issues

Adverse impact on actual revenues or actual costs of < shs.10m External audit raises some isolated findings

Reputation

Serious failure to comply with legal or regulatory requirements Instances of bad publicity/ reputation damaged to a national audience

Failure to comply with legal or regulatory requirements in some instances Instances of bad publicity/reputation damaged to regional audience

Failure to comply with legal or regulatory requirements in non-serious and isolated cases Instances of bad publicity/ reputation damaged to local audience

Technology System enhancement or implemented without major functionality Loss of systems leading to severe or ongoing business disruption (over 1 day) Management information used in key decision making is inaccurate

System enhancement or implemented without some functionality Loss or disruption to systems leading to significant business disruption (up to 1 day) Management information used for reporting purposes is inaccurate

Minor delays in implementation of new/enhanced systems Loss to systems leading to business disruption (up to 1hour) Delays in availability of general management information

Likelihood Highly Likely

Systematic On-going

Possible Occasional

Unlikely

Information to be documented in the working papers § The final agreed-upon Risk Assessment Criteria should be included in our

working papers. 3.7 Communicating Overall Audit Objectives Expectations Results to Auditees

The information agreed upon at developing expectations meeting is crucial to the overall success of the internal audit engagement. To capture the agreements reached during the meeting, provide the attendees with a key deliverable from the meeting, a communication of all issues agreed on.

Information to be documented in the working papers The communication sent to the auditees about the agreed upon expectations and audit objectives should be included in the working papers.

3.8 Risk Assessment

Risks are events, actions, or inactions that could cause the business objectives not to be achieved. To mitigate and manage these risks, an organization typically implements controls and other risk management activities.

Risk assessment is the identification and analysis of risks to the achievement of the institution’s established objectives.


Risk assessment provides a guideline for facilitating a high-level assessment of financial and compliance risks and to identify internal controls to manage those risks.

Parties responsible for risk assessment Management has the responsibility of identifying, assessing, and managing risk. Internal audit has the role of:

§ Facilitating the identification and assessment of risk and, § Monitoring how well risks are actually being managed by the entity.

Importance of risk assessment

It enables the auditor/inspector to: • Identify, assess, and document the risks and related risk management activities

that exist within the organization’s processes and across its key organizational components (geographic locations, service lines, or functional units)

• Provide the primary focus for allocating audit resources in the Audit Plan process Potential sources of risk Major steps in risk assessmen t process:

Government Agenda:

§ Citizen focus

§ Values and ethics

§ Accountability

§ Transparency

§ Responsible spending

§ Government on-line

§ Improved reporting

§ Modern comptrollership

§ Fairness & equity

§ Modern HRM

§ Integrated Risk Management

Corporate Management:

§ Structure and reporting relationships

§ Planning and priority setting

§ Budgeting and resource allocation

§ Expenditure management

§ Procurement and contracting

§ Performance management

§ Project management

§ Inventory management

§ Asset management

§ Human resources

§ Information and knowledge

§ Communications

§ Risk management

Compliance:

§ Funding and appropriations

§ Statutory reporting

§ Compliance with laws and regulations

Strategic:

§ Policy and strategy

§ Corporate reputation

§ Political factors

§ Public expectations

§ Stakeholder relations

§ Industry developments

§ Changing demographics

§ Globalization

§ National security threats

§ Business continuity

§ Competitive trends


• Planning the Risk Assessment • Understanding the Auditee’s Entity • Mapping Major Processes to the Internal Audit Focus • Identifying Risks and Related High-Level Controls • Assessing Risks • Agreeing on and Report the Risk Assessment

Planning the risk assessment

The objective of planning the Risk Assessment is to give the engagement team clarity and structure in order to complete the work successfully and efficiently. The Risk Assessment builds on the information obtained during the Co-Develop Expectations process. How it is done

• Review engagement objectives, team member roles and responsibilities, and

timelines • Determine advance preparation requirements (if applicable) and documentation

methods • Determine the final output from the Risk Assessment (e.g., presentation to

executive management and the Audit Committee) Preparing the preliminary plan

A team or individual should be given the responsibility of: § Gathering existing knowledge about the auditee and engagement § Developing a preliminary work-plan for the Risk Assessment.

3.9 Understanding the Auditee’s Business

Understanding the Auditee’s business is the necessary first step in performing the Risk Assessment.

Determinants of the level of analysis to be done § The nature, § Scope, and § Size of the engagement will drive how much analysis should be undertaken to

understand the auditee’s business.

How to understand the business • Assess the organization’s control environment • Confirm and review the organization’s business objectives and critical success

factors for achieving the objectives, recognizing that an organization will have implicit objectives in addition to those explicitly stated

• Identify how the organization is structured (by process and function) and begin to understand how the business objectives and internal audit focus are related to the processes


• Identify both internal and external influences that affect the organization’s business objectives, internal audit focus, and critical success factors

• Identify the significant risks inherent in the achievement of the business objectives and critical success factors

• Identify which process owners to meet with in order to complete the Risk Assessment

• Understand the auditee’s information technology environment • Understand the auditee’s existing risk management process and reporting

structures

3.10 Assessing the Control Environment Control environment refers to management’s explicit and implicit control consciousness and attitude.

Use a control environment questionnaire to develop an understanding of the auditee’s control environment. The questionnaire consists of questions that may indicate risks that should be further evaluated or areas that might require additional audit procedures.

Issues examined by the questionnaire

• Management’s control consciousness and operating style. • Integrity and ethical values. • Corporate governance arrangements. • Organizational structure and assignment of authority and responsibility. • Human resource policies, practices, and commitment to competence.

3.11 Developing and Confirming Your Understanding of the Processes

Arrange Meetings with the Key Department Heads to: • Confirm the business objectives and identify critical success factors • Identify Key Performance Indicators (KPIs) • Identify and understand stakeholders and any external factors and how they

influence the process • Identify any high-level risks that exist • Discuss any relevant IT issues • Understand departmental strategic objectives

Critical success factors and key performance indicators § For each objective, identify and discuss the critical success factors and how these

relate to the ma jor processes. § Identify the key performance indicators used to measure the critical success

factors. § Determine how they are used by management to monitor the effectiveness of the

process. § Determine the different factors (internal or external) facing the key processes in

place. § Analyse the influence of each factor on the process.


Examples of factors affecting key processes 1. Stakeholder Influences. Examples include shareholders, debtors, employees,

customers, and suppl iers. 2. External Factors. These include political and economic trends, market conditions,

legal and regulatory framework, competitors, technological change, and social change.

3. Information Technology (IT) and Human Resources (HR). Assess how IT and HR enables the key processes.

Understanding the IT environment Understand the implications and extent to which technology, as it relates to the attainment of the business objectives, enables each process. Technology should be considered as an integral part of the Risk Assessment process.

The identification and subsequent assessment of IT risks should be performed in conjunction with the other risks to the organization.

Determine how IT supports the key processes.

Key questions to consider § Is the organization’s strategy heavily IT enabled? § What is the IT infrastructure? § What is the IT change environment? § What is the appropriate size of the IT department and budget? § How best is it to use service bureaus (e.g., ADP, and/or consultants and

vendors)?

Information to be documented in the working papers The following should be maintained in the working papers: • The auditor/inspector’s assessment of the control environment and any identified

risk factors. • Appropriate notes to document the characteristics of the key processes.

3.12 Linking Internal Audit Focus to Key and Critical Processes

The principal objective of this step is to enable available internal audit resources to be efficiently allocated to those processes that significantly affect the strategic objectives or other concerns, which are the agreed-upon focus of the auditor’s/inspector’s internal audit services.

Information to be maintained in the working papers • A matrix to analyze which processes are relevant to the internal audit focus


• Documentation of the relative importance of each process, including the rationale for this as agreed on with management.

• A matrix to analyze which processes are relevant to business objectives (if this mapping is performed)

3.13 Identifying Risks and Related High-Level Controls

The objective of this process is to provide adequate guidance to the identification of the significant risks as influenced by the internal audit focus (e.g., business objectives) and to determine, at a high level, the controls over these risks.

Issues to discuss with the auditee 1. The purpose and objective(s) of the process and the critical success factors which

management has identified. 2. The beginning, end, key inputs, key outputs, key transformations and the sub-

processes. 3. The impact of information technology on the process.

Important questions to be asked by the internal auditor/inspector

• What could go wrong? • How could we fail as an entity? • What must go right for us to succeed? • Where are we most vulnerable? • What assets do we need to protect? • Do we have liquid assets or assets with alternative uses? • How could someone steal from the department? • How could someone disrupt operations? • On what information do we rely most? • On what do we spend the mos t money? • How do we bill and collect our revenue? • What decisions require the most judgment? • What activities are most complex? • What activities are regulated? • Where is our greatest legal exposure? It is important that risk identification be comprehensive at the departmental level and the activity-level for operations, financial reporting and compliance objectives. Internal and external factors must be considered.

Significant risks that exist in the process

Performing an analytical review of the process being audited is important. Such a review will help to provide an indication of the health of the process.

Typically, trend analysis is the most appropriate form of analytical review during the Risk Assessment. Capturing, acquiring, and analyzing data is time-consuming and generally considered appropriate for the Execution process only.


Questions to help identify significant risks • What must go right in order for the process to achieve its objectives? One answer

might be: “Purchased materials must be paid for within the discount period.” • What could go wrong with the process that would prevent the entity objectives

from being achieved? One answer might be: “Failure to deliver the services within the stipulated time.”

• How does IT or human resources enable the process and what significant risks exist as a result of these enablers?

• One answer might be: “Unauthorized or uncontrolled access to networks results in service disruption.”

• Is the process designed to be properly responsive to public and environmental forces (i.e., stakeholder influences or external factors)? One answer might be: “Failure to respond to regulatory changes resulting in heavy penalties.”

• Does the process contain any inherent conditions that may result in a financial or other loss? (e.g., the risks of theft of cash/goods that exists within retailing environment).

Information to be maintained in the working papers

• Process characteristics for the key process. • A list of risks and associated controls agreed upon with management.

3.14 Assessing Risks

Risk is defined as “any event, action, or inaction that hinders an organization’s achievement of its business (explicit and implicit) objectives.” Risk has two attributes: cause and effect.

Issues to consider when assessing risks

• The likelihood of the cause occurring. • The resulting impact of the risk (e.g., on revenue, reputation, reporting). • Initial assessment of risk. • Initial evaluation of high-level controls, assuming that controls can mitigate the

likelihood and/or impact of the risk occurring. • The predetermined scale (e.g., high, moderate, or low) to use. This should be

discussed with the auditee. • The relevant time period. A risk may have a small impact if it occurs once, but if it

could occur frequently during the year, consider what the cumulative impact would be.

• The factors that influence the risk (e.g., people, process, or technology).


Questions to use when evaluating high level controls • Do the high-level controls appear effective or ineffective at mitigating the

likelihood of the risk identified within the process? • Are there several controls in place to mitigate the risk that result in process

inefficiencies? • Do the high-level controls appear effective or ineffective at mitigating the impact of

the risk? Information to maintain in the working papers

• Documentation of the likelihood and importance of risks, as agreed upon with

management. • Risk assessment rationale for risks, processes, and auditable units agreed upon

with management. • Rationale for initial evaluation of high-level controls.

3.15 Reporting and Agreeing on the Risk Assessment

The engagement team presents the results of the risk assessment along with the audit plan to the audit committee. This allows the audit committee to readily see that the audit resources are allocated to those areas that significantly affect the internal audit focus and business objectives of the organization.

Information to maintain in the working papers Formalized agreement of the risk assessment (e.g. copies of minutes of audit committee or executive meeting.)

3.16 Audit Plan

It is derived from the developing expectations and risk assessment processes. Potential processes and areas (e.g. regulatory compliance, system implementation) that should be considered for inclusion in the audit plan are identified.

Importance of this step

It helps the internal auditors/inspectors to:

• Review management’s expectations regarding audit coverage, as communicated

in developing expectations, and develop an audit plan that is in line with those expectations (to the extent that audit resources are available)

• Align the audit plan with the results of the risk assessment (to the extent that audit resources are available)

• Determine skills needed to execute the audit plan and schedule resources needed for the engagement

• Prepare the audit plan and obtain approval from the internal audit liaison, executive management, and the audit committee


3.17 Major Processes

1. Risk Assessment. This is used to: § Develop audit work schedules. § Identify potential auditable activities. § Analyse the significance of the relative risk factors.

2. Auditable Activities. These are identified after reviewing the Ministry’s Chart of

Accounts and budget. 3. Identification of Relevant Risk Factors. Examples include: competitive

conditions, financial and economic conditions, adequacy and effectiveness of the system of internal controls, organizational, operational, and technological changes, competency, adequacy and integrity of personnel e.t.c.

Audit work schedules The risk assessment process leads the Head of Internal Audit to establish audit work schedule priorities. The internal auditing department develops audit work schedules that include the following: What is included in the audit work schedule

• The activity to be audi ted. • When the activities will be audited. • The estimated time required to audit the activity. Issues to consider when establishing work schedules • The date and results of the last audit. • Financial exposure. • Potential loss and risk • Requests by management. • Major changes in operations, programs, systems, and controls. • Opportunities to achieve operating benefits • Changes to and capabilities of the audit staff.

The Head may adjust these priorities after considering other information such as coordination with external auditors/inspectors, requests by management and/or the board.

Annual audit plan

The annual audit plan is prepared based on the risk assessment and is presented in the standardized format established by the Head of Internal Audit. At the beginning of the fiscal year, the internal audit department presents the annual audit plan to the audit committee for approval.


Components of the audit plan • List of audit projects. • Estimated hours for each audit project. • Objective of each audit project. • Type of review (internal control, financial, compliance). • Priority (high, medium, low) and reason for the priority. • Budgeted hours.

Developing an audit program

§ The audit program details each of the audit steps to be performed during the

course of the review. § The Head of Internal Audit or his designee should approve the audit program prior

to beginning the audit work. Any adjustments should also first be approved by him.

§ As evidence of work performed, each of the steps in the program should be cross-referenced to the corresponding work paper.

§ Upon completion of each audit step, the auditor/inspector should initial the audit program in the appropriate box indicating its completeness. In some cases (when not readily apparent), the reason for the audit step should be included in the audit program.

Identify resource needs and estimate hours to execute procedures Using the proposed audit strategy as a basis, identify resource needs and estimate the respective amount of hours required to perform the work for each of the selected processes and areas. This is achieved by allocating available hours to each of the selected processes and areas based on the significance of the risk, complexity of the process, impact on internal audit focus and the audit procedures expected to be performed.

Financial budget

The Internal Audit unit shall prepare a budget that will be reviewed by the Audit Committee and incorporated into the entity’s budget estimates.

Reviewing the audit plan to determine its consistency with management’s expectations

Upon completing the audit plan, the engagement team should review the Plan and consider the following questions:

• Is the audit plan consistent with management’s audit coverage expectations? • Is the audit plan consistent with management’s view of cycling audits? • Is the audit plan within the budgetary expectations of management? • Do significant gaps in risk coverage exist and has this been appropriately

communicated? • Do we or the auditee have the resources necessary to perform the audit plan?


• Are all expectations and coverage issues noted during the co-develop expectations process appropriately considered in the audit plan?

3.18 Coordinating the Audit Plan

Once the engagement team has co-developed the audit plan, the next step is to begin to review the schedules of available resources and assign resources to processes and areas based on their individual skill sets. This allows the engagement team to be ready, upon approval of the audit plan, to execute the plan as resources are preliminary scheduled. If management or the audit committee should have changes to the audit plan, the engagement team can easily revisit the engagement project plan to accommodate the modification by shuffling resources.

3.19 Agreeing to the Audit Plan

The engagement team and the internal audit liaison present the preliminary audit plan to executive management and the audit committee in accordance with the established protocols communicated in the co-develop expectations process. The audit plan outlines the following:

• Risk assessment results • Listing of potential audits • Timing It is important for the engagement team to follow all change request protocols to ensure the proper allocation of resources. Information to be maintained in the working papers • A copy of the audit plan • A copy of the executive management and audit committee meeting minutes,

documenting approval of the audit plan as presented or other appropriate documentation showing approval

• Documentation of any points that auditee personnel have asked you to consider for future audits so that you can revisit them when you update your audit plan


Article 4 Audit Execution

4.1 Designing Tests of Control

This is necessary when an auditor/inspector is asked to conduct a systems audit or when, after the PSE, the auditor/inspector believes it will be feasible to conduct a system based audit as opposed to a substantive approach. The auditor/inspector is seeking evidence of the operation of control procedures, for example, the checking of a travel claims, which should be prepared in accordance with the financial regulations and recording in the cashbook. When planning substantive tests, the auditor/inspector may use the sample size of 40 tests of control as part of a representative substantive sample, as long as the evidence from the tests of control clearly provides substantive evidence. Instances when tests of control can be designed

• When the system design has been documented, evaluated and found to meet the

audit control objectives; • When the control operations to be tested are separately listed on the audit

working papers.

What to use when designing tests of control 1. Enquiry. It is the cheapest form of testing and the least reliable. 2. Observation, 3. Inspection and 4. Reperformance

In planning tests of control, evidence is required about the satisfactory operation of the control. Issues to note about the evidence collected § Evidence that substantiates the correctness of transactions does not

automatically provide evidence that the control (check) was correctly operated. § The best evidence that the auditor/inspector could get is transactions, which were

in error when they came before the clerk (the errors which were detected by the clerk whilst conducting the control procedure).

§ The only evidence of transaction errors will be transactions rejected by the clerk, transactions amended by the clerk or transactions remaining in the population, in error.

§ The audit evidence available respectively will be: formal records or lists of rejected transactions kept by the clerk, alterations on prime documents observed during testing and errors discovered by the auditor/inspector during substantive testing.


Items to include when recording the program of tests of control

• The population; • The population size; • The sample size; • The method of sample selection.

For as long as the system remains the same, the compliance-testing plan can be re-used from year to year.

4.2 Pre-Audit Work The internal auditor/inspector should prepare for the audit visit before commencing the audit. This provides time for review of the previous years’ reports and papers and such research and information gathering as is necessary to ensure that the team will be ready to start as soon as they arrive on site. Typical procedures, which should be included in that process, are suggested below:

4.2.1 Familiarisation

• Obtain an understanding of the control environment. • Obtain copies of all standard financial documents relating to this area; • Prepare a record of the accounting records in use; • Obtain an understanding of the financial regulations and any ministerial or

departmental operating policies.

NB: If possible, most of the familiarisation tasks should be made easier by the maintenance of permanent files of information so this task might be incorporated within a single procedure: “Review and update permanent file”

4.3 Analytical Review

• Compare current year’s actual income and expenditure, line by line, with the current year’s budget;

• Compare current year’s actual income and expenditure, line by line, with previous year’s expenditure;

• For all income and expenditure heads, compare monthly income and expenditure during the current year. Other analytical techniques include:

4.3.1 Ratios

§ Ratios can be calculated using financial or non-financial information or mixture of both.

§ Using his/her knowledge of the audited body, the auditor/inspector should establish the various relationships between different items of information and examine how they change overtime.

§ Care should be taken to ensure that the correct relationships between figures have been established.


4.3.2 Examination of trends

The examination of trends may be seen as an extension of the time comparison over a period of years and may be valid for ratios as well as specific account figures. Observed trends must be critically examined. Relatively small changes from year to year may generate little interest but, over a period of years their cumulative effect may be significant.

As with the other procedures, the information selected for this type of review needs to be determined by the auditor/inspector using his / her knowledge of the body. Explanations of any abnormality must be sought by the auditor/inspector for the procedure to be effective.

4.3.3 Reviewing for consistency

Related elements within the financial systems should be reviewed for consistency because there may be a direct relationship between the expenditure and receipts for certain items. An example of this would be posters supplied by the Ministry of Tourism; the purchase price is negotiated, pricing policy established and the auditor/inspector could calculate the relationship between the cost of stores issues and receipts and use this as a standard from month to month or year to year.

4.3.4 Proof-in-total techniques

Proof-in-total is a predictive test used to gain assurance regarding the correct statement of a financial figure. It is often considered as a substantive test, and can be used to complement or even replace tests of detail. It is particularly useful where the expected value of a figure can be calculated based on the prior year value, and known changes to the composition of the figure. Proof-in-total involves estimating the value of a figure based on independently verified audit evidence. As a guide, if the estimate is within 3% of the actual figure, this provides reasonable audit assurance that the figure is not materially mis-stated.

4.3.5 Examination of management information

• Obtain a copy of any information available to the Head of Department under review for the purposes of exercising overall control;

• Confirm that it is accurate and up-to-date; • Examine information and follow up any items, which appear to be odd. This is a

re-performance test and ought to provide evidence about the exercise of control by the Head of Department based on the use of the information supplied.

4.3.6 Assembly of Information

• Examine all “intelligence” information filed since the last audit visit relating to allegations and current developments in the ministry or department to be audited;

• Discuss with officers in the Ministry of Finance their impression of the performance of the Head of Department in adhering to financial regulations, specific instructions or completion of returns or other documents;

• Establish whether officials in the Ministry of Finance have experienced problems with the Accounting Officer;


4.4 Carrying Out Tests of Detail and Substantive Procedures

The conduct of audit work usually follows a standardised route through the audit. Audit programs should be drafted in such a way that the timing of the work is recognised. The order of the performance of audit tests is usually;

• Pre-audit work: To highlight any specific issues which need to be examined this

audit; • Compliance tests: To form a view about the operation of control. If systems are

not reliable then substantive or weakness tests will be required • Substantive tests: To confirm the correctness of records and documents.

NB: Weakness tests should be designed specially for the circumstances

discovered at the audit and should not normally stay in the audit program.

4.5 Issues for Management’s Attention

a) Preparing an Issue Summary It is prepared when risks are inappropriately controlled. It should be reviewed by the in-charge auditor/inspector, and presented it to management for action.

Objectives of the Issue Summary

• Obtain confirmation of factual accuracy of identified issues • Request an action plan from management to address the control weakness, for

inclusion in the audit report • Enable corrective action to take place as soon as possible • Communicate a cooperative spirit with auditees by advising them early about

business risks, related controls, and recommendations • Co-Develop an understanding of significant reportable issues and non-reportable

issues with the auditee

Components of the issue summary

• Observations: Details of any observations that indicate the absence of control or the results of testing with regard to the appropriateness of the controls. If appropriate, the observations should also describe the standard that should have been adopted (i.e., what should be) and the cause (i.e. why the observation occurred).

• Risk: Details of the risk that is being inadequately controlled because controls have not been implemented or are not functioning as designed. When the issue identified is a process improvement in nature, it may be appropriate to use “Implication” rather than “Risk.”

• Recommendation: Action recommended to address the risk. Always be aware of the cost/ benefit implications of any recommendations made. If the costs of implementing controls exceed the risk, look for alternatives.

• Management Response: Management’s response to the observation, including identifying the action to be taken to address the risk, who will take the action, and a date by which the action will be completed.


Do not include a recommendation in the Issue Summary. Allow management to agree that the issue exists and co-develop the most appropriate solution to address the risk. This facilitates ownership of the action plan by management. It is still critical to consider what action the auditor/inspector would recommend, as this will be useful when evaluating management’s suggested action or to provide guidance to management.

4.5.1 Format of the Issue Summary

Client:

Audit Project:

Audit Date:

Topic:

Observation:

Risk:

Recommendation:

Management Response (Please include the proposed date of implementation or a reason for non-implementation):

Auditee Signature and Date:

Significance: High Moderate Low

Include in Report? Yes No Order in Report

Reviewed by:

b) Reviewing the Issue Summary

The in-charge auditor/inspector or his/her designee should review it before it is sent to the auditee. The in-charge auditor/inspector or designee should: § Be aware of all audit issues § Review the summaries for accuracy and adequate supporting documentation. § Determine whether the working papers support the conclusions reached § Ensure that the Issue Summaries are professionally written.

Value Idea


c) Presenting Issues to Management

Present each Issue Summary to management in person and in accordance with the agreed-upon protocol, but make sure that the recipient will be the person responsible for taking or authorizing the corrective action. Ask management to provide a response to the issue within a reasonably short time frame.

d) Evaluating Responses

When received, responses should be reviewed for: • Factually inaccurate findings • Adequate corrective action to reduce risk • Timeliness of corrective action

When there is a disagreement regarding factual accuracy, verify the additional information that management provides and re-evaluate the risk and control. If a response is inadequate, discuss the corrective action with the responder and request the additional information needed. The additional response should be provided by the auditee in writing. Ultimately, if agreement cannot be reached, refer to the protocol agreed to in the Co-Develop Expectations mega process. If management’s response is not received by the agreed date, contact the auditee to determine the reason for the delay and to determine when the response will be received. The best solution may be to arrange a meeting to discuss the action to be taken.

4.5.2 Information to be maintained in the working papers

Our working papers should include the following: • Analysis of the controls in place to mitigate each risk identified in major

processes. • For each identified risk, the auditor/inspector should have an Issue Summary on

file containing a response from management. • The response and details of the action the auditor/inspector take when

management’s response accepts the risk but indicates that management is unwilling or unable to take remedial action.

4.6 Concluding the Audit and Report

The steps taken to conclude the audit, including the preparation of the audit report, are essential elements for producing a quality audit product. The audit report is one of our most visible deliverables, providing feedback to auditee management on the results of our audit. The report should include all the significant issues identified as a result of our audit procedures. At the end of our fieldwork, issues from the audit are collated, reviewed, prioritized, and consolidated in the audit report. This report is published in draft form prior to holding a closing meeting with process owners, during which its contents are discussed and agreed upon.


4.7 Reviewing Working Papers a) Review throughout audit project b) Perform final working paper review c) Remove review comments, “to do” notes, and report drafts d) Look for complete documentation that supports issues and scope e) Look for findings that have not been recognized and reported f) Document ideas to improve future audits (when appropriate) g) Prioritize observations h) Rate findings op! i) Review for inappropriate language

Elements to be included in an audit report • Background: a high-level description of the audit process • Objectives and Scope of the Audit Project: a brief description of the

scope/objectives of the audit project • Period: an indication of the period covered by our procedures • Findings: significant issues identified and documented throughout the audit using

the issue summary • Recommendations: outlines suggested actions that management should

consider to address an audit finding • Date: the report is dated (month, date, and year) on the day that fieldwork is

substantially completed • Signature: Report should be signed.

4.7.5 Illustration of writing reports:

Section

Institute of Internal Auditor/Inspectors Leading Practice

Background

Background information may identify the organizational units and activities reviewed and provide relevant explanatory information.

The background description of the area or process audited should be brief and should provide a short overview of the area. It can provide additional insight to the reader. It also can demonstrate our understanding of the area audited. The types of information that may be included are: 1. Personnel/turnover/staffing needs 2. Organization/major changes 3. Other factors 4. System issues 5. Process ownership and inherent problems 6. External factors affecting area audited It is not necessary to include all six types of background information.

Objectives

Purpose statements should describe the internal audit focus and, when necessary, inform the reader why the audit was conducted and what it was expected to achieve.

The objectives of the audit are described in the report

Scope

Scope statements should identify the audited activities and include, where appropriate, supportive information such as time period audited. The nature and extent of auditing performed should also be addressed.

The scope is described in the report and should not be a listing of the steps of the audit program.


Section

Institute of Internal Auditor/inspectors

Leading Practice

Period

The time and period audited should be included in the scope statements

All reports should indicate the period covered by the auditors’/inspectors’ procedures

Findings

Findings are pertinent statements of fact. Less significant findings may be communicated orally or through informal correspondence.

• “Observation and Risk/Implication” is the last section of the report. The heading would include the client name and area or process audited. The business risk identified as a result of the finding should always be listed.

• Appropriate sections of the Issue Summary can be copied into the audit report. If the Issue Summary is properly written, the audit report writing process should be streamlined and be more consistent.

• Each observation and risk should be listed in the order of importance. It may enhance the reader’s experience if like observations and risks are grouped together under each topic. In situations where the recommendations for several observations are the same, consider grouping the findings together under one topic related to the recommendation.

• Bullet points often make it easier for the reader. • Numbering of observations and risks (instead of

bullets) is not recommended since it is often perceived as a counting of mistakes.

• Working papers should indicate that less significant findings have been reviewed with management, noting the date and name of cl ient contact.

Recommend-ations

Recommendations are based on the internal auditor/inspector’s findings and conclusions. They call for action to correct existing conditions or improve operations.

The recommendations are actions that management should consider to address audit findings.

Signature

A signed, written report should be issued after the audit examination is completed. The term “signed” means that the authorized internal auditor/inspector’s name should be manually signed in the report.

The report is signed after all required reviews are completed and issuance of the report has been authorized by the Team leader.

Date The report is dated (month, date, and year) on the day it and issued is substantially completed.


Section

Institute of Internal Auditor/inspectors

Leading Practice

Conclusions/ Summary

“Conclusions” are the internal auditor/inspector’s evaluations of the effects of the findings on the activities reviewed. They usually put the findings in perspective based upon the findings’ overall implications.

Positive Comments

Auditee accomplishments, in terms of improvements since the last audit or the existence of a well controlled operation, may be included in the audit report.

A list of strengths and/or best practices may be included in the report. This typically demonstrates recognition of positive issues (tends to softens the negative). We cannot endorse any issues without total consideration of the applicability throughout the company As a result, the “Strengths” or “Leading Practices” sections should be prefaced by “During the course of our internal audit, we noted the following strengths of the operations. Although each is considered as strength of the area audited, the applicability of each of these issues to other areas of the Company must also be considered.” The strengths or leading practices can then be bullet-pointed

Management ’s Response/Action Plan

The auditee's views about audit conclusions or recommendations may be included in the audit report. As part of the internal auditor/inspector's discussions with the auditee, the internal auditor/inspector should try to obtain agreement on the results of the audit and on a plan of action to improve operations, as needed.

Management ’s response should be included in the internal audit report to put the finding in perspective. The reader can then understand the finding and the status of the action taken to correct it at one time. “Action to Be Taken” or “Action Plan” can be used in our reports instead of “Management’s Response” and “Recommendation.” This approach concentrates on the corrective action taken versus who made the recommendation.

When constructing the report, the following guidelines should be used.

Cover Page The cover should include: • Auditee name • Process or area evaluated • Period covered


Title The titles and headings should be in a larger font than the text. Table of Contents Consider using a table of contents when the report is longer than five pages. If applicable, the index should have the same title as the cover sheet and should include a list of the headings of each section within the report. Appendices Appendices can be used to provide additional information that does not belong to the body of the report. It may include an overview of the risks examined, ratings definitions, etc. Appendices should be used only when needed in order to provide the reader with required reference material. Page Numbers All reports should have page numbers. The report should be consecutively numbered with the first page number starting after the index. Unresolved Issues from the Previous Audit Report Unresolved issues from a previous audit report are treated in the same manner as other issues identified. Reference should be made to the fact that the issue was raised previously but remains outstanding. Issuing a Draft Report a) Prepare a Draft Report Prepare a draft report of detailed findings and recommendations. The draft audit report, including findings and recommendations, typically is only distributed to process owners. The final report distribution includes executive management and the Audit Committee. The principal reason for this is that the draft report provides a final opportunity for: • Management to challenge the accuracy of the issues raised in the report • The engagement team to validate the action plan to address each issue b) Issue the Draft Report Issue the draft report in accordance with the agreed-upon distribution. c) Schedule the Closing Meeting The closing meeting or exit conference should be held soon after completing the audit field work.

4.7.6 Conducting a closing meeting a) Select Attendees Members of auditee management who are invited to attend the closing meeting should have been discussed and identified during the scoping stages of the audit project. As a minimum guideline, members of management who have ultimate responsibility for implementing the action plan of each issue should be invited to attend.


The engagement team member in charge of the audit project should attend. Additional staff members can also be asked to participate, particularly when those individuals have specific knowledge of complex or technical matters that may be discussed.

b) Discuss Draft Audit Report Discuss the draft audit report to reach agreement on each of its components. Specifically, the meeting provides an opportunity to: • Clarify points or issues • Resolve any misunderstandings • Demonstrate the value we have provided • Agree on follow-up activities Maintain detailed minutes to provide evidence of management’s response to the issues raised. The minutes should be kept in the working papers.

4.7.7 Issuing a final audit report

Make any required changes to the draft audit report and issue it in accordance with the agreed-upon final audit distribution. Follow up on reported audit findings The protocol for the follow-up on reported findings should be discussed with the internal audit liaison during the Co-Develop Expectations process. The nature, timing, extent, and scheduling of follow-up activities and the procedures and techniques employed are determined by the auditee.


4.8 Communicating Results At a minimum, executive management and the Audit Committee must formally review, agree and approve the Risk Assessment and the Audit Plan prior to executing a substantial portion of the Audit Plan. Throughout the year, we communicate the status of executing the Audit Plan and a summary of the results of our audit projects, including significant findings.


Article 5

Working Documentation of an Internal Auditor/Inspector

5.1 Working Documentation

Working documentation is a set of documents prepared/for the internal auditor/inspector in connection with the conduct of an internal audit. Working documentation consists of a constant part and a variable part. The constant part contains usual data, which are of historical and permanent nature. The variable part contains working documents relating to the current year.

The internal auditor/inspector is obliged to document things that are important as evidence supporting the auditor/inspector's opinion and documenting that the internal audit has been carried out in accordance with the auditing standards.

How working papers are stored

1. Paper 2. Films 3. Electronic data media

Purposes & uses of audit working papers

• To provide the principal support for our audit opinion • To facilitate the conduct of an internal audit; • To facilitate supervision and inspection of the work of an internal

auditor/inspector; • To record any evidence resulting from the work of an internal auditor/inspector in

support of the auditor/inspector's opinion • To aid us in the conduct and supervision of the engagement consistent with

professional standards and firm policies and procedures • To provide important information for subsequent audits and for potential review by

third parties who may challenge the sufficiency of our work. • Working papers may provide information for further investigation • Review by third parties

Components of the title page of the working documentation

• Full name of the internal auditor/inspector; • Name of the auditee • Subject of the internal audit; • Organisation/department being audited (auditee); • Time period of the internal audit; • Reviewer • Full names of the auditors/inspectors who carried out the internal audit/inspection

(where the audit/inspection is conducted by several auditors/inspectors); • Contents of the working documentation.


5.2 Principles for the Compilation of Working Documents

Internal auditors/inspectors are required to compile and maintain detailed working documentation, giving an overall picture of the internal audit performed.

In the working documentation, the internal auditor/inspector should record information on the: • The objective of the audit/inspection • The planning, nature, time period, and scope of the auditing/inspecting

procedures, • The results of these procedures, and • The conclusions arising from the audit/inspection performed. • All the data on which the opinions and judgements of the auditor/inspector are

based. • The nature, term, and scope of tests of correctness are based on the evaluation

of financial management at the audited organisation; • The working documentation obtained, auditing/inspection procedures applied, and

tests performed, provide sufficient evidence, which is an adequate basis for an opinion on the activity that is audited.

Determinants of the contents of the working documentation

• The nature and type of the internal audit; • The form of the internal auditor/inspector's report; • The nature and type of activities performed by the auditee; • The nature and condi tions of accounting and financial management applied by the

auditee; • The needs in the area of management, supervision, and control of the work

performed by the internal auditor/inspector; • The specific aspects of the methodology and technology applied during an

internal audit. Contents of the working documentation • Information about the legal form and organisational chart of the audited

organisation; • Extracts or copies of important legal documents, contracts, records, and plans; • Information about the sector, the economic and legislative environment in which

the organisation operates; • Evidence of the fact that the internal audit was planned, including the programme

of the audit and its changes; • Evidence of the internal auditor’s/inspector's decision to carry out an audit and of

the conclusions reached; • Analysis of transactions and balances; • Analysis of relations, relationships, and trends; • Records in respect of the nature, time limit, and scope of the audit work

performed; • The name of the person who determined the auditing process, including the date;


• Details about the procedures applied during external audit, if an external audit was conducted in the organisation concerned;

• Copies of correspondence between the internal auditor/inspector and other auditors/inspectors, experts, or third parties;

• Letters with statements, made by the management of the audi ted organisation; • A copy of the organisation's financial statement, report of an external

auditor/inspector, report on internal control.

5.3 Principles for the Preparation of Working Lists The internal auditor/inspector should record his activities in working lists on a daily basis, according to the following principles:

• Each working list should contain the name of the area that is audited, the time

limit for the audit, title – contents, name of the person who has prepared the working list, date of elaboration and the index – designation of the list;

• the working lists are to be indexed – marked with cross references enabling rapid search;

• Completed working papers shall clearly document the work of auditors/inspectors. This can be achieved, for example, by writing a final evaluation of the internal audit performed (memorandum), with notes on the working list, using symbols with clear explanations on the working list;

• The overall in charge of audit needs to be able to satisfy himself/herself that work delegated by him/her has been properly performed. He/she can generally only do this by having available to him/her detailed audit working papers prepared by the audit staff who performed the work.

• The audit working papers provide, for future reference, details of problems encountered and adequate evidence of work performed and conclusions drawn there from in arriving at the audit opinion.

• Audit working papers should always be sufficiently complete and detailed for an experienced auditor/inspector with no previous connection with the audit to subsequently ascertain from them what work was performed and to support the conclusions reached.

• Working papers should be prepared as the audit proceeds so that details and problems are not omitted.

• Audit working papers should include a summary of all significant matters identified which may require the exercise of judgement, together with the auditor’s/inspector’s conclusions thereon.

• If difficult questions of principle or judgement arise, the auditor/inspector should record the relevant information received and summarise both the management’s and his conclusion.

Working papers can conveniently be split into three:

1. Permanent File

Permanent files are used for data that can reasonably be expected to be needed

in audits for more than two years. The following are typical permanent file materials:


• Law establishing the institution/project • General information about the auditee • Regulations governing the institution/project/ministry • Accounting policies and procedures • Historical analysis of accounts • Income tax information.

2. Systems File

The systems file can be used to record the way in which the auditee’s internal control and accounting systems operate. Typically, this will be in the form of flow charts recording each of the accounting areas supplemented, where necessary, by narrative notes.

3. Current files

The current file will contain all the working papers in relation to the current year’s audit, and these can be quite extensive. A typical format would be as follows:

Indexing Working Papers The objective is to make it easy for anyone to retrace the steps we took to complete the audit, and to make working papers easy to locate.

• Use the pyramid system: At the base are detailed working papers. As we proceed

to the top of the pyramid, we need to continue to build a supportive base that meets our audit objective

• Each working paper has a unique index • An index is assigned to each audit working paper as soon after its preparation as

is practical. Indexing is used to maintain consistency Purpose of Cross-Referencing

• To indicate where certain numbers or other data originated (i.e. where supporting

detail can be located) • To indicate where various detail amounts have been summarised in the working

papers • How do we Cross-Reference? We cross-reference amounts between two working

papers by placing the other working paper reference next to the number being cross-referenced. Generally, we try to cross reference our amounts from the detail working papers up to the summary-level working papers. In this manner, someone can easi ly follow our process and flow of information.

Effective Working Papers should contain Working paper headings • It is important that working papers are properly identified. Details should include;

auditee name, a title or description, and the audit period to which they apply. • The proper use of headings is imperative to appropriate identification.


Clear and concise tick marks

• Tick marks are used to indicate the procedures performed on data in the working

papers • Tick mark explanations may be customized by the engagement team and will

always have the same meanings when used throughout the engagement • Other tick marks may be used on working papers. When creating new tick marks,

their explanations should be clear and concise, specifically describe the work performed, and be fully explained on the particular working paper where they are used

• Tick mark explanations normally include a description of the following: • Evidence examined, findings, and results • Unusual items noted and how they were resolved

Narrative comments

• Narrative comments on audit schedules can include many forms of

documentation. Narrative comments include; • Brief summary of discussions with auditee personnel • Data needed for notes to the financial statements • Description of an account when it is not evident from the title • Additional information that would clarify data on the schedule and make it easier

for others to review

Audit conclusions We document overall audit conclusions relating to all audit areas we reviewed. Signing-off All audit working papers require the sign-off of the preparer and the detailed reviewer at a minimum and also should document the date of each sign-off.

An Illustrative example of the general index of working papers

WP General File 1 Internal auditor’s/inspector’s report 2 Exit conference & findings 3 Entrance conference/notification 4 Preliminary survey/planning memo 5 Review & supervision notes 6 Audit program 7 and Up Evidence working papers Permanent Fi le PF 1 Organizational chart PF 2 Applicable statutes and regulations PF 3 Internal control information - narratives, flowcharts, questionnaires, etc PF 4 Description of the accounting records, description of the funds, basis of

accounting, etc. PF 5 Departmental mission statement PF 6 Department budget and othe r strategy documents


Article 6

Financial Audits

6.1 Introduction The purpose of this article is to set procedures for conducting a financial audit and also to provide an overview on major tools to assist an internal auditor/inspector in conducting an effective financial audit.

6.2 Definition of Financial Audit

A financial audit evaluates whether financial statements or reports accurately portray the financial condition and/or activities of the audited entity. Components of a financial audit a) Examination and evaluation of financial records, and where applicable,

expression of opinions on financial statements; b) Verification of financial accountability of the government administration as a

whole; c) Audit of financial systems and transactions, including an evaluation of compliance

with statutes and regulations; d) Evaluation of internal control systems; e) Audit of the integrity and propriety of financial and related administrative decisions

taken within the audited entity.

During a financial audit execution, the Internal Auditor/Inspector also focuses on evaluation of management procedures, reporting and operations inside an auditee as well as on effectiveness of financial transaction controls in place.

6.3 Objective of a Financial Audit

The objective of a financial audit is to verify data recorded in financial statements and evaluate the financial controls in place to ascertain whether there was proper stewardship of public funds and efficient use of public money;

Issues to Consider

• Correctness, entirety, provability, understandability of accounting information • Physical safeguards and security of accounting information • Integrity and protection of assets • Timely provision of accurate and reliable information for decision making


6.4 Financial Audit Procedures, Preparations and Execution

The following are the usual stages of the Financial Audit Execution:

• Acquaintance with areas which will become subject of Financial Audit • Collection and evaluation of information • Internal control review • Accounts verification – phase of testing and examinations • Audit completion, reporting and follow up.

6.4.1 Acquaintance with areas which will become subject of Financial Audit

Understanding the auditee’s business is an important step in all categories of audit. This helps the Internal Auditor/inspector to identify risks which could have a significant effect on financial statements: This can further be analysed as follows:

6.4.2 Acquaintance with legislation relevant for the auditee

• laws, regulations and directives effective • legal, taxation or budgetary specific details • special accounting rules • responsibilities related to fund management

6.4.3 Acquaintance with auditee's social and economic environment

• overall organisation and structure • organisational charts – task and function descriptions – decision-making system • important external factors • nature and specifics of auditee's activities • strategy and objectives of auditee's management • budgeting • assess the reporting structure • number of staff and working environment • volume and types of transactions • trends of development to be considered, reforms undergoing • evaluation of events that have happened since the beginning of year and after the

financial statements have been produced

6.4.4 Acquaintance with auditee's accounting and financial environment

• Accounting, financial and budgetary procedures • Managerial arrangements and control mechanisms for funds managed • Chart of accounts, accounting methods and accounting principles • Accounting entries specific for auditee's activities • Accounting cycles (periods), chains and assignments to be subject of Audit • Forms of accounting records • Types of accounting books, accounting documents and written documents


• Way of starting, registering and accounting each of transactions • Possibility to track back the overall course of transactions • Cash operation management • Financial statements, administration and control system to adhere to the budget • Actual state and frequency of financial control execution • Budgetary items, accounts, allocations and resource consumption

6.4.5 Acquaintance with auditee's data processing environment

• Staff, level of education accomplished • Configuration of computer technology and systems • What software has been established? Do they cover 100% of financial

operations? How are transactions processed and registered in contrary (adverse) cases?

• What about protecti ve and security systems? Are they reliable and applicable? • What systems are used for data archiving? • Are there any monitoring tools in place that would monitor systematically

execution of controls in the overall course of operations?

6.4.6 Evaluation of processes should cover:

1. Management and Strategy (does it exist or not?) a) Organisation structure b) Clear identification of powers and authorisations c) Transparent, generally applied valid procedures d) Goals and objectives, strategies of achieving objectives e) Performance indicators f) Measures to identify risks and areas to be improved f) Actual risk management culture g) Information system to identify internal or external information necessary for

management h) Communication system to provide proper information to the recipients within

the deadlines set.

2. Accounting – Budget – Reporting After the initial overall evaluation of accounting, financial and information systems, the internal auditor’s/inspector's role shall be to focus on areas linked with potential financial and system-based risks in terms of missing or insufficient procedures and controls. Potential risks in the accounting area may include for instance:

a) Unrealistic asset values b) Cases of negligence in maintaining accounting records c) Accounting documents lacking for some accounting entries d) Accounting entries with incorrect amounts e) Accounting entries made on incorrect account f) Chart of accounts applied incorrectly or not adjusted


g) No accounting entry made where it should have been made or wrong accounting entry and final balances not explained or unchecked accounting records corrected incorrectly

h) disputable state of accounts due to the fact that the auditee concerned does not do any accounting entry or does not report any accounting entry in the period which such entry is related to in terms of time or its subject matter (hereinafter referred to as the “Accounting Period”)

i) Concerns about reliability of auditee's financial statements or management schemes Potential budgetary risks may include:

k) Risks linked with respecting of the budgetary indices, l) Risks of transparency, completeness and reality of the budget, m) Risks connected with budgetary measures, n) Risks connected with the budget observation, o) Risks connected with other than budgetary sources, p) Other risks – for instance: failure to observe the limits of accounts, budgetary

structure etc.

6.5 Review of Financial Processes 6.5.1 Budgeting

Activities involved The key areas that an auditor/inspector should focus on include budget; - Formulation - Approval - Execution - Control Key Control Objectives: To ensure that; 1. The ministry’s budget is prepared in accordance with the laid down regulations

and instructions, 2. There is effective monitoring of expenditure and revenue against estimates 3. The budgetary control is effective.

Key Risks

- Inadequate monitoring and reporting results into overspending and under collection

- Government’s priority areas may not be catered for as per the set plan. - Poor quality budget estimates because of the wrong budget estimates being

used.

Important Records needed for the audit

At the start of the audit, the auditor/inspector should request for the following; 1. Approved budget 2. Development Plan 3. Budget Work Plans 4. Vote books


Budget Audit Programme

Ref Audit Programme Tasks Budgetary Preparation 1 Review;

- Review the personnel charged with budgeting. - The various departments’ annual work plans and budgets. - The annual plan and budget approval.

Budgeting, Monitoring and Control 2 Examine the vote books and confirm that the vote books correctly record the

amounts as per the approved budget estimates. 3 Examine the vote book and confirm whether the expenditure budget has

been adhered to. 4 Ascertain whether timely action was taken when applying budget revisions. 5 Review appropriate reports to confirm whether the actual expenditure against

budget estimates are monitored by the relevant parties. 6 Through discussions with the Head of Finance and review of relevant

reports, confirm that there is monitoring of actual revenue against the set revenue estimates.

REVENUES, RECEIPTING AND BANKINGS Donor Funds

Activities involved The main emphasis is on the receipt and expenditure of donor funds. Key Control Objectives To ensure that;

1. There is VFM in the utilization of the funds received. 2. The funds are used in accordance with the set terms and conditions.

Key Risks 1. Failure to fulfil the donors’ set conditions. 2. Inadequacy in the reporting of donor programme support. 3. Poor control over the funds resulting into loss of future support from the various

donors.

Important records needed for the audit At the start of the audit, the following should be availed to the auditor/inspector; a) A listing of all funds received from the donors; b) Copies of agreements with service providers and contractors; c) Bank statements; d) Copies of receipts for the received funds; e) Copies of Accountability Statements; f) Copies of the agreements that were signed with the donors.

Suggested Sampling It is advisable to select 100% of all programmes.


Audit Programme-Donor Funds

Ref Audit Programme Tasks Funds received and the signed agreements 1 Contact the donor and request for a schedule of all the funds donated to the

entity. Use the schedule to confirm that the receipts have been issued for all the received donations.

2 All the donations have been posted in the relevant books of accounts and appear on the bank statements

Stock register-(for non-financial materials donated) 3 Ensure that the materials have been entered into the relevant books of accounts

e.g. the donor stock record 4 Undertake site visits to confirm existence of the materials Accountability 5 Confirm that complete and accurate financial statements are prepared and

submitted in accordance with the agreed upon terms in the agreement with the donor.

6 Contact each donor and get their view on whether they are satisfied with the way the funds were utilized and accounted for.

Revenue Collection, Receipting and Banking Activities involved The auditor’s/inspector’s emphasis will be on all revenue collection and receipting areas. Key Control Objectives To ensure that; A. All revenue is accurately and promptly recorded. B. The collected revenue is banked promptly. Key Risks 1. Incorrect revenue accounting and recording. 2. Under banking of revenue. 3. Poor revenue collection. 4. Poor physical control over the collected cash.

Important records needed for the audit The auditor/inspector should request for the following documents at the start of the audit; a) Organizational chart; b) Revenue registers; c) Cash books; d) Daily cash and cheque summaries; e) Bank statements; f) Register of receipt books; g) Register of paying-in books.

Suggested Sampling It is advisable to select 100% of all the previously issued receipt books.


Audit Programme-Revenue Collection, Receipting and Banking

Ref Audit Programme Tasks Preparation and banking of Receipts 1 Ensure that the authentic signature for the officer responsible for signings is on

the cover of each and every receipt book. 2 Confirm that the details on the receipts are legible. 3 Match receipts to the amounts banked and the details on the bank statements.

Ascertain that receipted monies were banked intact. 4 Ascertain that the amounts in the revenue collector’s cash book agree with the

bank deposit slips. 5 Trace the deposits to the main cash book Receipt Register Integrity Using the receipt register, validate the authenticity of the signature of the person

signing on the receipts. Reconcile each revenue collector’s receipt books to the central receipts register. Physically inspect all the unused receipt books and ascertain that their

sequences agree to the receipt register Examine the receipt register and ascertain that all issued receipt books were

signed for. Posting and Accuracy Check the casting and balancing of the receipts cash book. Post the receipt totals to the general ledger PAYMENTS

Salaries, Pensions, and Gratuities

Activities involved Under salaries and pensions, the following are of emphasis; - Appointment; - Gross pay; - Salary levels; - Compulsory deductions; - Employee Training e.t.c

Key Control Objectives

To ensure that; a) The set procedures are adhered to. b) The maintained records are adequate and accurate. c) The right security measures are in place to safeguard monies/ cheques to be paid

out.

Key Risks 1. Failure to comply with the set regulations and guidelines in the recording, paying

and reporting of salaries/pensions. 2. Salaries paid may not be authorised. 3. Incorrect posting of the payments in the ledgers and the cash books.


Important records needed for the audit

The following records should be requested for at the start of the audit; a) The current approved salary structure; b) Staff records (of the selected sample); c) Advances register; d) Overtime register; e) Time keeping register; f) Leave records; g) Training records; and h) Sickness records.

Suggested Sampling Select one month’s payroll for your audit.

Audit Programme-Salaries, Pensions and Gratuities

Ref Audit Programme Tasks Payroll Payments 1 Agree 100% payroll payments to the register;

Check that all the amounts tally. 2 Using the current approved salary structure, ( and a 25% sample of all staff),

confirm that ; -All posts are paid as per the established grade.

3 Review the deductions made and ascertain that they are reasonable. Investigate any large variances found.

4 Get a list of the significant allowances/advances and ascertain that the transactions were approved by the relevant person and that the correct procedures were followed.

5 Check 100% of the net amounts per the payroll to the bank transfer instructions. 6 Ascertain that the total amount of the bank transfer instruction is reflected on the

bank statement. Payroll Deductions 7 Review the casting of the payroll deductions to ascertain that the given total is

correct. 8 Ascertain that the deductions have been paid to the respective creditors (e.g.

URA). 9 Ascertain that the recovered advances have been correctly recorded in the

advances register. Payroll Records 10 For the selected sample of the employees, verify that they are actually in

existence. 11 Confirm that the contained salary grade in each staff’s record file is the same as

that on the Establishment Register 12 Ascertain that there is a permanent record of each employee’s service 13 Ascertain that the necessary changes have been made to the Register, especially

with regard to new employees and those who have left.


Non-Wage Payments

Activities involved

Such an audit would focus on; 1. Requisitions 2. Authorisations 3. Local purchase orders (LPOs) 4. Receipt of goods 5. Payment vouchers 6. Payments (cash or cheques) 7. Postings in the relevant books of accounts

Key Control Objectives To ensure that; a. All payments are within the relevant approved budgets. b. The expenditure incurred was approved.

Key Risks 1. Non-existent budget allocation for the payments made. 2. Payment made to wrong persons. 3. Wrong posting of payment s in the cash book. 4. Payment vouchers may not have supporting documents.


The auditor/inspector should request for the following documents at the beginning of the audit;

a) Cash book; b) Requisitions; c) Copies of bank payment instructions; d) Local purchase orders (LPOs) e) Goods received notes; f) Accounting records; g) Stores records; h) Approved signatories lists; i) Listing of all the approved suppliers and contractors


Audit Programme-Non-Wage Payments

Ref Audit Programme Tasks 1 Ensure that the payment voucher has been properly completed and authorised

by the concerned parties. 2. Ascertain that the payment voucher is supported by;

- A departmental requisition for the required goods/ services. - A copy of the LPO. - Copy of the delivery note from the supplier - A GRN from the stores. - A supplier’s invoice

3 Review the purchase requisition, LPO and GRN and ascertain that the appropriate officers have completed and signed on them.

4 Ascertain that the expenditure has been charged to the correct vote. 5 Ensure that the payment instructions have been recorded in the Payments

register. 6 Ascertain that the payment instructions were signed by the authorised

signatories. 7 Ensure that the payment instructions were directed to the correct payee as per

the contract. 8 For fixed assets purchased, ascertain that they are correctly recorded in the

fixed assets register by checking from the goods received note to the fixed asset register.

Advances and Allowances

Activities involved

The main areas of focus include;

- Personal advances; - Administrative advances.


To ensure that; a) All personal and administrative allowances are approved in accordance with the

specified rates. b) The advance accounts are accounted for and well managed.

Key Risks

1. Poor control over advances and allowances. 2. Improper use of entity funds.



The auditor/inspector should request for the following records at the start of the audit;

a) Advance register; b) Cash book; c) Payment vouchers for advances; d) Advance account ledger.

Audit Programme-Advances and Allowances

Ref Audit Programme Tasks Personal Advances 1 Ascertain that recoveries are being made according to schedule, and recovery

is not overdue. 2 Check salaries to ascertain the necessary deductions were made from the

concerned staff. 3 For resignations, retirements and dismissals, ascertain that the outstanding

advance balance was fully recovered. 4 Ascertain that the advance was properly authorised. Administrative Advances 5 Confirm that full accountability was submitted within one month of original

disbursement. 6 Ascertain that the submitted accountability has supporting documents 7 Confirm that the amounts advanced agree with the amounts authorised

ASSETS

Non Current (Fixed Assets)

Activities involved

This focuses on assets like; - Land - Buildings - Roads and bridges - Machinery and Equipment - Furniture and fixtures


To ensure that there is adequate management of all categories of fixed assets.

Key Risks

1. Poor control over the management of the assets. 2. Poor maintenance of the assets. 3. Breach of policies concerning the acquisition and disposal of assets.



The following records should be requested for at the start of the audit;

a) Asset register b) Title deeds and registration documents c) Cash book d) Payment vouchers e) Policy concerning acquisitions and disposal of assets

Suggested Sampling

Select all assets acquired during the financial year.

Audit Programme – Non Current Assets (Fixed Assets)

Ref Audit Programme Tasks Asset Acquisition 1 Confirm that the policies regarding acquisition of assets were adhered to. 2 Ascertain that the asset was recorded in the general ledger. 3 Confirm that the asset cost reflected in the general ledger agrees with the

payment voucher. 4 Confirm that the correct asset details, costs, and ownership details have been

properly captured in the asset register. 5 Obtain and review a schedule of the asset balances as per the fixed assets

register, add it up, and ensure that it balances, or has been formally reconciled with the related general ledger account. Investigate any variances found.

6 Verify a sample of the assets by physically inspecting them. 7 Ascertain that the title deeds are available and that the ownership is in the

names of the entity. Maintenance 8 Confirm that a policy for repairs and maintenance of assets is in place and

ascertain that it is adhered to. 9 Review the maintenance costs and charges made to the ledger accounts and

check that they are reasonable. Operations and Usage 10 Confirm that the assets are being used for the tasks that they were intended for. 11 Ascertain that appropriate security measures are in place to safeguard the

assets. Vehicles 12 Check that stock records like fuel and tyres for a particular vehicle agree to that

vehicle’s maintenance card. 13 Examine the log books for the sampled vehicles and investigate the reasons for

the low or excessive use. 14 Confirm that the vehicles are being used for the appropriate task that they were

meant for. 15 Ascertain that a system is in place to record all costs and expenditure for each

individual vehicle.


Debtors, Prepayments and Advances

Activities involved

This covers the audit of debtors, prepayments and advances.

Key Control Objectives To ensure that; a. Debtors, prepayments and advances have been recorded at period end; b. The amounts in the balance sheet are stated on a consistent basis.

Key Risks

1. Misstatement of debtors, advances and prepayments. 2. Inaccurate recording of amounts due from third parties. 3. Inappropriate valuation of debtors, prepayments and advances.


The following records should be requested for at the beginning of the audit;

a) Schedule of debtors, prepayments, and advances. b) Accounting records c) List of bad debts and write-offs

Audit Programme-Debtors, Prepayments and Advances

Ref Audit Programme Tasks Debtors 1 Obtain a schedule of debtors and prepayments. 2 Confirm that the schedules add up correctly. 3 Confirm that the totals agree with those in the debtors’ control account.

Where they don’t agree, ascertain that reconciliation was prepared. 4 Confirm that the debtors’ balances agree with the debtors’ statement. Bad and doubtful debts 5 Establish the basis for the provision of bad and doubtful debts. 6 Ascertain the debtors/ revenues written off during the year. 7 Confirm that all write offs were properly approved and accounted for. Prepayments 8 For advance payments, check that a performance bond exists. Advances 9 Ascertain that the original payments were authorised. 10 Confirm that prepayments are being made according to the established

policies.


Cash and bank balances

Activities involved

The following areas are important;

- Treasury management; - Cash and bank balances; - Cash book operation

Key control objectives

To ensure that; a) All bank accounts are properly reconciled. b) Cash books are properly maintained and regularly reconciled to the Bank

statement.

Key Risks

1. Misuse of funds due to poor control mechanisms

Important records needed for the audit The auditor/inspector should request for the following records at the beginning of the audit;

a) Bank account details b) Certificates of bank balances c) Cheque books d) Bank reconciliations e) Cash books

Suggested Sampling

Select 100% of bank accounts


Audit Programme-Cash and Bank Balances

Ref Audit Programme Tasks Bank Accounts 1 Obtain details of all bank accounts with full titles, account numbers, and

authorised signatories. 2 Obtain a copy of the contract and correspondences with the entity’s bankers. 3 Confirm that all subsidiary bank accounts are operated on an i mprest basis. Cheque Control 4 Confirm that the cheques are kept in a safe place. 5 Ascertain that a cheque register is in place and that all cheque books in use were

recorded down 6 Ascertain the signatures on the cheques. 7 Confirm that the stock balance of cheques is verified regularly e.g. once a month 8 For cancelled/spoilt cheques, inspect the cheques to ascertain that they were

properly cancelled. Reconciliation of cash books with Bank statements 9 Verify the independence of the person responsible for preparing and despatching

cheque instructions. 10 Verify the arithmetic accuracy of the reconciliation 12 Get direct confirmation of account balances directly from the banks, and compare

them with the cash book balances. 13 Check the arithmetic accuracy of all cash books and check every cash book

balance to the respective GL accounts.

LIABILITIES

Trade Creditors and Accruals


To ensure that there is proper and correct recording of creditors and accruals.

Key Risks

1. The recorded creditors may not represent all the amounts due to third parties. 2. Inaccurate stating of creditors and accruals.


The auditor/inspector should request for the following records at the start of the audit;

a) Accounting records b) Schedule of trade creditors and accruals c) Commitments register d) Age Analysis e) Annual Accounts


Audit programme-Trade Creditors and Accruals Ref Audit Programme Tasks Trade Creditors 1 Obtain a schedule of creditors as at the end of the last quarter. 2 Confirm that the schedule adds up correctly 3 Ascertain that the creditors’ totals agree with the details in the creditor

control account. 4 Confirm that the creditors’ balances on the schedules agree with the

creditors’ statements. 5 Get explanations for any material reconciling differences. Non Trade Creditors and Accrued Liabilities 6 Verify that the basis for this year’s accrued liabilities is consistent with

the previous years’. Provisions 7 Confirm that the basis for the provisions is consistent with the

previous years. 8 Confirm that the material provisions have been disclosed.

Borrowings/Loans


To ensure that; a) Loans have correctly been recorded in the balance sheet. b) The loans have been obtained in accordance with the relevant laws.

Key Risks

1. The correct procedure was not used when obtaining the loan. 2. Under declaration of the loan amounts received. 3. Wrong postings in the financial statements. 4. Non compliance with the loan terms.


The auditor/inspector should request for the following at the beginning of the audit;

a) Loans register b) Accounting records c) Loan agreement d) Commitments register e) Loans ledger


Audit Programme-Loans/Borrowings Ref Audit Programme Tasks 1 Verify that the procedure used to obtain the loan was in line with the relevant

laws and guidelines. 2 Verify that the loan as approved by the responsible officer. 3 Ascertain that the loan was used for the purpose it was intended for. 4 Review the terms of the loan and verify that they are being complied to. 5 Confirm that all interest and principle due on the loan has been paid or

accrued. 6 Obtain an official statement f rom the lender and confirm that it agrees with the

loan records.


Article 7

Audit Inspection 7.1 Introduction

This article provides the Inspector / the Auditor with an overview of the theoretical assumptions concerning the execution of an inspection in the public administration. The objective of the audit inspection is to determine how well financial transactions and/ or operating controls conform to established laws, standards, regulations and policies and procedures. It is against this background that the inspector MUST first identify and obtain all the applicable standards, regulations, policies and procedures. S/he must then read and understand them prior to undertaking an inspection.

7.2 PAF Inspection Procedures – Overview 7.2.1 Mandate:

Public Finance and Accountability Act 2003 mandates Ministry of Finance to inspect Local Governments, Central Governments and other entities to ensure that the funds released to them are used for the purpose for which they were appropriated and properly accounted for. PAF Inspection is carried out to control, monitor and evaluate the performance of Local Governments. Inspection promotes standardization, uniformity and consistency in the implementation of Government policies and programmes for improved service delivery across the Local Governments. It helps in determining adequacy of internal controls, the accuracy and propriety of transactions, safeguard and accountability of assets and level of compliance with Government laws, regulations and procedures.

7.2.2 Expected benefits of inspection

When undertaken on a regular basis and in a comprehensive manner, inspection will help the Ministry to:- a) Confirm that projects being implemented conform to the set goals and objectives b) Review operations and programmes to ascertain whether the implementation is

consistent with the regulations c) Establish whether programmes are being carried out in accordance with the

budget, work plans, and in time d) Identify factors that inhibit satisfactory performance and strategies addressing

them are developed and implanted e) Put in place mechanisms for measuring and reporting the accomplishments of

objectives and outputs. 7.2.3 Methodology for inspection

PAF inspection will use the following methodology: a) Physical visit to the districts, municipal councils and town councils b) Reviewing of relevant official documents and records c) Interviewing of key personnel of the local governments d) Site visits to projects under implementation and those already implemented e) Recording of the findings during inspection


f) Reporting to the PS/ST, D/ST, DB, AG, and other relevant authorities of the findings


7.2.4 Criteria for inspection

When carrying out inspections, the Inspectors are expected to follow the following procedures.

7.2.4.1 Releases from MoFPED Confirm that cash released was received and dully recorded in the cash book and that the bank account has been reconciled. Confirm that cash due to lower councils was remitted and recorded. This should be confirmed with the cashbooks, Bank statement and reconciliations.

Ensure that all books of accounts are posted up to date i.e ; Abstracts, cashbook for general account, ledgers and Vote books.

7.2.4.2 Work plans and progress reports Obtain work plans from the CAO and heads of departments for the quarter being inspected. Check with departments on the implementation of the work plans in the quarter and activities which spill over to other quarters. The areas to be covered include; § Health § Education § Water and sanitation § Roads § Production § Monitoring and accountability. Review work plans for the quarter and progress reports and ascertain the absorption of funds per sector identified and analyse the overall fund absorption per quarter.

7.2.4.3 Monitoring and evaluation

Obtain monitoring reports and confirm that they are in line with the work plans and budgets.

Obtain minutes of the district council to confirm their involvement in the planning, monitoring and evaluation of the PAF Programmes. Confirm the existence of the following statutory Boards and Commissions namely; a) Contracts Committee b) District Service Commission c) Districts Public Accounts Committee To confirm their operations and effectiveness, obtain minutes of their meetings.

7.2.4.4 Staffing levels

§ Confirm whether all the positions have been filled § Check whether the positions were filled transparently § Look at the organization structure of finance, audit and procurement


§ Establish the number of staff on professional training and those who have completed

§ Check on staff deployment. 7.2.4.5 Programme implementation

While at the departments, randomly identify the projects to inspect (Emphasis should be given to projects far away from the district headquarters) The following should be inspected (At least 3 sectors should be inspected in a quarter)

A) Education/UPE Schools

§ Class room construction § Pupil enrolment levels § Staffing levels § School records

B) Health Centres

§ Constructed health centres – check whether the buildings are of quality to match the money budgeted and paid

§ Availability of heath workers § Availability of records i.e.; inventory records, books of accounts, e.t.c.

C) Water and sanitation

§ Water coverage and how it has changed over the periods § Boreholes/wells constructed § Springs protected § Confirming whether it is functioning § Confirm the existence of the local water committee

D) Roads

§ Inspect road constructed § Check whether drainage has been provided for § Maintenance of existing roads

E) Production

§ Check whether extension workers are in place § Look at the reports of the extension workers § Look at the projects worked on and their impact on areas where they have

been implemented. F) LGDP

§ Check on LGDP funds received § Check how the LGDP funds have been allocated § Check on LGDP expenditures and accountability

7.2.4.6 Bookkeeping and accountability

Confirm that all books of accounts i.e. cashbooks, vote books, ledgers, abstracts, and payroll are posted up to date and are reconciled monthly.


Confirm whether the above books of accounts have been checked and verified by CFO and the internal auditor/inspector.

7.2.4.7 Revenue recording

§ Obtain sources of locally raised revenue and § Confirm if all local revenue estimates are shown in the revenue register in

accordance with Financial Regulations. § Establish if the revenue collections are periodically reconciled or registers

updated § Establish whether the arrears of revenue are recorded and summary submitted

to the Executive Council for appropriate action. 7.2.4.8 Cash books

§ Confirm consistency of opening and closing balances § Confirm whether they are reconciled to bank statements regularly § Check for the arithmetic accuracy of the balances § Check for any unusual items § Confirm that each account has a separate cash book

7.2.4.9 Abstracts: Revenue & Expenditure

§ Is there an abstract book showing the funds trail § Confirm whether the abstracts were balanced off. § Check for arithmetic accuracy § Confirm the frequency of posting abstracts

7.2.4.10 Ledgers

§ Check whether ledgers are in place § Ledgers should be updated monthly § Check for arithmetic accuracy § Check the ledgers against the abstracts to ensure that the figures reconcile

7.2.4.11 Accountability Check for:

§ Compliance accounting procedure, guidelines and regulations followed. § Transparency in expenditure framework § Accuracy and completeness in transactions § Audit queries raised and responses to them § whether the figures in the returns submitted tally with the ledgers, cashbooks

and abstracts

7.2.4.12 Expenditure returns § Check whether they are comprehensive and timely prepared § Do they comply with recommended formats?

7.2.4.13 Remittance of taxes to URA

§ Confirm whether the district deducts PAYE and withholding tax from employees and suppliers

§ Check whether all taxes deducted have been remitted to URA


7.2.4.14 Internal Audit

§ Obtain a copy of the quarterly audit report. § Establish the budget allocation to the audit department, quarterly and annually § Establish if management ac ts on the auditor’s/inspector’s reports

7.2.4.15 Staffing position

Find out; § Posts substantially filled § Posts acting § Vacant posts

7.3 Audit Inspection of Missions Abroad This consists of the following sub accounts areas:-

i. Releases (RBC’s, any other) ii. Development expenditure iii. Revenue (visa, passport, rent, etc.) iv. Remittance to treasury v. Monthly expenditure

7.3.1 Releases (RBC’s) Audit Objectives

v To establish whether releases (RBC’s) are receipted and accounted for monthly (monthly returns)

v To ensure that release are as per the approved budget with the exception of

special and supplementary releases. v To ensure that amounts released are actually remitted and received. v To ensure that all payments made were authorized. v To ensure that funds released were put to the purpose intended and properly

accounted for. v To ensure that payments for salaries, FSA and other allowances to Mission staff

are at the approved scales/rates. v To ensure that all home based Foreign Service officers recalled or who retire from

service are deleted from the mission’s payroll promptly. v To ensure that all rent payments for Foreign Service officers are properly

supported with tenancy agreements and acknowledgement receipts from the landlords.


Assertions • Authorization • Completeness • Occurrence • Measurement

Error Conditions

• Remittances not receipted • Amounts remitted less than those released • Monthly returns not prepared and sent for audit • Over payment of salaries, allowances & FSA • Unsupported payments • Unauthorized re-allocation of funds

Audit Tests

a) Obtain copies of the budget, releases, remittance advice and mission bank statements and reconcile. Note any discrepancies.

b) Vouch / examine the monthly returns to ensure that there is proper accountability of funds released.

c) Check whether the funds were put to the purpose for which they were requisitioned and note any reallocations.

d) Check whether salaries, allowances and FSA to home based foreign service officers were at the authorized rates/ scales

e) Check whether all rent payments were supported with tenancy agreements and acknowledgement receipts from the landlords.

f) Confirm whether officers recalled or those who retire from service are deleted from the mission’s payroll and all their entitlements from the Mission’s funds ceases immediately.

g) Confirm whether payments made to facilitate officers at the mission conforms to the standing orders for Foreign Service.

h) Confirm whether the Mission’s contracts committee handled all procurements and disposals at the mission. Minutes and other correspondences should evidence this.

i) Check whether all payments made were initiated and authorized. j) Confirm whether there was compliance with the TAI, Public Finance and

Accountability Act, Public Procurement and Disposal Act plus other Government regulations and guidelines in the processing of transactions.

k) Check whether the engagement of local staff was competitively done and are paid according to the es tablished local terms of service.

l) Confirm whether funds advanced to officers while on official duties were properly accounted for.

m) Others (please specify).


7.3.2 Revenue and remittances to treasury Audit Objectives

v To ensure that all revenue to which the mission (Government of Uganda) is entitled is collected.

v To ensure that all such revenue collected is properly accounted for and entered in

the records (i.e. general receipt books, revenue cash books etc.) v To ensure that all such revenue collected is banked intact v To ensure that all revenue collected is remitted to treasury monthly and returns

also sent.

Assertions

• Completeness • Measurement • Occurrence

Error Conditions

• Non-disclosure of revenue collection • Unauthorized use of NTR. • Non-remittance of revenue to treasury • Circumvention of T.A.I, 2003 (i.e. Collections not receipted, banked intact,

collections not posted in the revenue cash book etc.) • Invalid receipts brought to account. • Use of Visa stamps instead of Visa stickers

Audit Tests

a) Ascertain details of all sources and rates of revenue to the mission (i.e. visa, passport, rent etc).

b) Compare revenue returns with the general receipt books, revenue cash books, revenue abstracts, and mission bank statements.

c) Obtain details of general receipt books issued by the Treasury to the missions and compare with the serial numbers used. Investigate any discrepancies.

d) For Mission confirm whether visa stickers are in use as opposed to Visa stamps. e) Ensure that separate bank account (s) for NTR is/are maintained and regularly

reconciled f) Check whether all collections were banked intact. g) Ask for proof of remittance to Treasury (i.e. T.T forms and general receipts issued

by the Treasury). h) Investigate any discrepancies between NTR collected and remitted to the

consolidated account.


7.3.3 Government Assets Audit Objectives

v To ensure that all government assets are acquired only with proper authority v To ensure that all government assets are properly maintained and used only in

the execution of government business v To ensure that all government assets are accounted for, labeled and recorded

(assets register) v To ensure that deposals of government assets are properly authorized. v To ensure that there was adherence to the Public Procurement & Disposal Act in

the acquisition & disposal of Government assets

Assertions

• Existence • Completeness • Measurement • Ownership

Error Conditions

• Misuse of government assets • Lack of proper documentation • Unregistered government assets • Disposals without authority • Poor maintenance, handling and squalid conditions

Audit Tests

a) Obtain a fixed asset register of all high value government assets b) Confirm existence by ascertaining the physical location of all high value

government assets c) Ascertain ownership of high value government assets by inspecting the logbooks,

land titles/leases, purchase agreements, etc. d) Trace some high value government assets to the fixed asset register e) Check/ reconcile stores ledgers with physical items in the store. f) Where there were disposals, scraping, etc. check whether it was subjected to

established government procedures on disposals. g) Check the physical conditions of the assets and their current state to establish

whether their maintenance, handling and storage are appropriate.


7.3.4 Financial Statements (Final accounts) Audit Objectives

v To ensure that the final accounts portray a true and fair new of the entity as per the available source documents

v To ensure that all relevant books of accounts where opened during the financial

year and posted. v To ensure that all transactions that took place in the financial year where

accurately computed, transfe rred and recorded. v To ensure that only transactions pertaining to the financial year in question were

included in the accounts.

Assertions • Completeness • Measurement • Occurrence • Existence

Error Conditions

• Omissions of current year transactions. • Inclusion in the final accounts previous year’s transactions • Relevant books of accounts not opened or / and posted • Computational errors • Unauthorized reallocations • Unauthorized expenditure

Audit Tests

a) Check whether all the appropriate ledgers were opened up b) Check whether the amount debited to the chequer accounts were the approved

estimates and supplementary estimates were also approved and properly posted. c) Check whether the amount credited to the expenditure item ledgers are as the

figures approved. d) Check whether all credits to the exchequer accounts as counter balanced by

debits in the cashbook were all authorized cash releases from the treasury and that there were no omissions or other questionable entries.

e) Check whether proper expenditure items in the budget where charged according to the nature of the payments

f) Post all vouchers to the cashbook to detect errors, omissions, and miss-postings. g) Post all the vouchers to the abstract and the abstract to the ledgers to verify the

correctness of expenditure items charged h) For a given period, cast the cashbook, abstract and ledgers. i) Check whether re-allocations were approved by the secretary to the treasury j) Ensure that the trial balance and balance sheet genuinely balance k) Check whether the financial statements submitted were prepared in the format

required by the new chart of accounts.


l) Check whether the figures appearing in the financial statements agree with those

in the already checked ledgers. m) Check whether the necessary footnotes where included in the final accounts. n) Check whether the accounting officer signed all the financial statements.

7.4 Compliance & Inspection Checklist 7.4.1 Revenue

The objective of inspecting revenue is to ensure that all moneys due to the government are properly and promptly collected, recorded, safely kept and banked as soon as possible so as to minimise losses. It is the duty of accounting officers to ensure that the above is implemented through instituting the necessary procedures and controls.

This checklist provides guidelines in inspecting revenue collections in general and can be easily adopted to help the inspector in checking the appropriation-in-aid (AIA). Remember that it should serve as a general guideline. Inspectors will have to modify their inquiries depending on preliminary findings and the nature of the institution that they are inspecting. They do not have to follow the check list in its entirety but should pick those areas that are crucial depending on the institution's controls and experiences of the previous inspections.

Any unusual answers or findings to questions in the above checklist should call for further investigation and satisfactory explanations thereto should be sought.

Inspection Reviews Matters

Arising Implication Management

Response Bank accounts For each ministry, agency or institution, check the following: • Number of bank accounts maintained • for each of the accounts find out the following:

• name and number - • name of bank where the account is

kept • date when account was opened • letter authorising the opening of the

account • signatories to the account • expected sources of revenue • nature of expected expenditure • current balance • is an associated cash book in

existence • is it posted up to date

• check details of credit to the account to ensure it agrees with what was expressed in expected sources of revenue

• check the details of debit transactions in a similar manner


Inspection Reviews Matters Arising

Implication Management Response

• check bank reconciliation details of the account • are they up to date • are all direct debits and credits posted to the

cash book • have any transfers been made to and from the

account to the consolidated fund • how often have they been made • is the account dormant, i f so, when was the last

transaction to the account • why has the account not been closed

Receipt Books Find out the details of the receipt books issued from the Treasury to the ministry or district • number of books issued and their serial

numbers • when and to whom issued, etc.

Check whether the ministry or district maintains a register for the receipt books

Find out to whom the receipt books have been issued

Pay special attention to those books issued to upcountry centres/ posts

Check the register details against the stock of unused receipt books

Check the used receipt books • ensure that they are posted regularly to the

cash book • ensure all copies of the cancelled receipts are

properly marked so and are retained in the book

Ensure that the correct receipt is issued for the type of revenue (Treasury Accounting Instructions specify two types of receipts: 1001 and 1002) • Are the receipt books stored in a secure place • Are receipts issued in a sequential order

Collections recording Are collections at the headquarters recorded promptly

Are the collections from' outposts/upcountry centres sent together with copies of receipts to headquarters for recording and banking

How often are collections from the centres sent to headquarters

Do the collections tally with receipts records Are the collections from the outposts checked for accuracy before processing

Are the collections checked for accuracy to ensure that the ministry has received the correct amounts from the payer

Collections safeguard Are collections stored in a safe area

Is security provided for transportation of collections to the bank




Are the collections banked intact • are payments made out of collections

without authority from the CTOA • are there any un-authorised payments?

How are collections in foreign money handled • how soon are they banked • is the correct exchange rate utilised

Are collection shortages followed up and recovered

How often are surprise cash carried out Cheques and bank drafts

Those arriving by mail are they recorded on receipt • who opens the mail -should preferably be

somebody different from the cashier

For all cheques and bank drafts -are they checked for accuracy before recording

When are receipts issued – should be preferably after the cheque or draft is cleared

If cheques or drafts are dishonoured • are they recorded in a register and followed

up for collection • are penalties recovered from the payers

Returns to the Treasury Are they made regularly and on a timely basis

Are they checked by the Treasury on receipt Has the ministry asked for assistance, in case of problems

Budget votes/budget line items • Are they overspent • Where did the extra funds come from -

ensure it is not from collections

Outstanding collections • Does the ministry maintain a register of

outstanding collections/defaulting payers • Have steps been taken to recover

outstanding amounts

Budgeted appropriation-in-aid (NTR) • Check the budgeted total AlA • Is any breakdown for it given in the budget

estimates • Is distribution of its receipt for the year

known • Is total collection still on target to achieve

the year's total collection • Is it recorded in a systematic manner • Are collections in excess of NTR remitted to

Commissioner, Treasury Officer of Accounts

Inter-ministry or departmental transactions • Does the ministry expect to receive -

revenue from another ministry or a government funded institution




• What steps have been taken to speed up the collection

Internal control

• Check to ensure that the following functions are carried out by different officers -where possible

• opening of mails • recording of collections • banking of collections • bank reconciliations

7.4.2 Cash Safeguard and Management

It is the responsibility of the Accounting Officers to ensure that cash is kept safely and that it is only applied for the authorised purposes. Management should therefore ensure that all necessary procedures and controls are in place to be able to achieve the above.



Response Check to see whether the following are in place: Safes:

• are the safes properly installed • have they been issued by the Treasury and

recorded thereat • are they properly installed .are they easily

accessible • who keeps the keys • are there any duplicate keys, who keeps

them • is it fireproof

Safe Custody of cash in transit: • how regularly is cash transferred to and

from the bank • who does the transfer - cashier and another

individual • is the transfer done by public means • is the transfer time varied for security

purposes • is armed escort requested for

Safe custody of cash: • is cash always kept under lock and key • does the person receiving cash sign for it

and issue a receipt for the same • are proper hand over procedures followed • are surprise cash counts made regularly • are the surprise cash counts made in the

presence of the cashier • are collections banked intact and

immediately .how are cash losses reported

Imprest matters: • Are imprest holders duly appointed?




• are adequate imprest sums held? • are imprests maintained in accordance with

the Treasury Accounting Instructions? Cheques and drafts:

• are cheques checked on receipt and registered

• are they crossed and stamped on receipt • are receipts promptly issued for the

cheques • are dishonoured cheques registered and

followed up • are unused cheques stored safely/do they

have a register • where are spoilt cheques stored/do they

have a register

Foreign currency: • how is it handled • how is it recorded • when are receipts issued • is there an undue delay between when it is

received and when it is banked

Cash book records: • Are they kept and are they up to date • Are they reconciled regularly

Hand-over and take over procedures: • are they in place

7.4.3 Bank Reconciliation

The purpose of bank reconciliation is to agree the balances of cash in the cash book and at the bank and to ensure that all transactions relating to cash are captured and appropriately recorded. In this process it is therefore necessary to compare the transactions in the ministry cash book with those of the bank account at Bank of Uganda or any other bank where the account is kept and make sure that they are in order. It is necessary to investigate the nature and content of those transactions that appear at the ministry and not at the bank and vice-versa. After establishing the authenticity of the transactions, necessary accounting entries should be made.

Bank reconciliation is one of the control measure used to ensure that cash is not lost. It has to be carried out regularly, preferably monthly. The exercise should not be turned into a mechanical one; all transactions should be examined and any unusual circumstances should be followed up immediately to ensure that if there are errors, their nature and causes are established and remedial action is taken immediately. This is necessary because cash is a fluid asset which is easy to pilfer.


An inspector is therefore expected to pay special attention to bank reconciliation. Treasury Accounting Instructions require the Accounting Officer to "file for audit purposes and references, reconciliation statements of their bank balances as shown in their cash books, the abstracts of their accounts and any other working papers which may be required to verify the accuracy of their accounts". In addition, when a bank account is kept, the balance at the close of business on the last day of each month, as certified by the bank, will be reconciled with the balance shown by the cash book in a manner shown on Treasury Form 38 (certificate of bank balance) and the reconciliation statement, together with paid and cancelled cheques, credit and debit advice slips and all other supporting documents will be preserved for audit". Any irregularities unearthed here should be followed up vigorously. The inspector should therefore carry out the following tests.



Response

Cash Book: • does each bank account have a cash book • is the cash book posted up to date • is it properly ruled-off, cast and balances extracted

Bank Statements: • are bank statements regularly collected from the

bank • are they checked for accuracy in transactions'

records • are bank balances independently confirmed with

the bank

Bank Reconciliations: • are they carried out regularly • are they based on the previous ones • are they checked independently • are they reviewed by a competent staff • are the reconciliations carried out by the cashier -

usually they should not be • are they carried out by a computer, if they are • are they properly filed with the relevant supporting

documents • are they submitted to the Accountant General as

required

Direct Debits: • these originate from the bank and are shown on

the bank statement • are they investigated when noticed • are they due to bank errors, if so, has the bank

been requested to • correct them • after identification are they recorded in the cash

book immediately • are supporting documents obtained from the bank

and filed • is their origin vetted for authenticity and

authorisation




Direct Credits: • these also originate from the bank • is the bank contacted immediately for their details

• nature • origin • authority • etc.

• are they due to errors, if so, has the bank been approached to .correct them

• are they recorded immediately in the cash book • is supporting documentation obtained and filed

Un-presented cheques: • Are they listed each month • is the list checked for accuracy • are those that have taken long to clear

investigated • do they include those that have not been collected • are uncollected cheques re-banked

Outstanding deposits: • are the details of these regularly examined • are they followed up to make sure that they are

subsequently banked • is there a mechanism to ensure speedy banking of

collections • are the delays in bankings intentional, are there

any ascertainable trends

Any unusual answers to any of the questions in the above checklist should be thoroughly investigated and relevant explanations and information obtained if it is to be assumed that there is nothing amiss. Any identified problem areas should be discussed with the accounting officer and remedial action should be agreed with him and be implemented.

7.4.4 Budget and Budgetary Control

It is the duty of every accounting officer to ensure that the amount appropriated to his vote is properly and economically spent only for those purposes for which the funds have been appropriated. The Constitution of Uganda stipulates that "The Permanent Secretary or the Accounting Officer in charge of a Ministry or department shall be accountable for the funds in that Ministry or department."

Furthermore, accounting regulations require each accounting officer, in respect of the votes and monies for which he is responsible -

(i) an appropriation for which monies expended were voted, the sums actually expended were voted, the sums actually expended on each service, and the state of each vote compared with the appropriation (as varied by any supplementary estimate approved by the National Assembly before the end of the financial year), which shall contain such additional information and be in such form as may direct and shall be signed by the accounting officer;.."


An inspector will therefore check the budget lines of each vote to ensure that what has been expended is in line with the Appropriation Act details. Budget control concerns itself with the management of budget allocations. To ensure that this is in order an inspector will check the following:



Response Vote books:

• does the ministry maintain a vote book • are the postings to it up to date • is it accurately posted • is it checked regularly by a senior officer

Budget lines: • are these specified • are they given the right codes • are their appropriations reconciled with those

posted to the vote book • are they moni tored • has there been a reallocation of funds - has it

been authorised • are they updated with any supplementary • are any budget lines over committed, and if so

have they been reported to the proper authority

Payment vouchers: • are they properly • dated • authorised • coded • filled in • are they accompanied by proper supporting

documents • are some of the supporting documents

photocopies • how is their authenticity established • are suppliers obliged to pledge indemnity to the

ministry in cases where photocopies are accepted as supporting documents

• are payment vouchers bearing a date later than purchase orders and/or invoices

• are payment vouchers properly posted to the vote book and ledgers

• are they properly filed for future reference

Appropriation-in-aid (AlA): • has it been authorised in the budget • has it been properly recorded • is it monitored • has it been overspent

Prepayments: • are any payments made in advance • are they posted to a register opened for this

purpose • who approves these payments - does he have

that authority




Authorised officers register: • is a register of authorised officers maintained • does it have their specimen signatures • does it specify the financial limit of their delegation

Foreign payments: • are these in existence • have they been properly approved • are they recorded in the correct manner using

relevant currencies

Trial balances and records: • are these extracted monthly • are the appropriate returns sent to the Accounting

Officer and • the Treasury Department

Filing and storage of records: • are the records appropriately stored • are they f ree from dust • are they protected from floods and fires • are they easily retrieved

7.4.5 Advances and Prepayments

Advances and prepayments are one of the most problematic areas in the quest to properly control and manage public funds. Year in year out these areas receive mention in the Auditor/inspector General's report for most budget votes as the ones with the weakest controls. As a result a lot of money is lost through advances and prepayments. As an inspector proceeds to check these areas, a lot of care should be taken to ensure that the controls in these areas are not only in existence but are also practised and are reviewed regularly so as to make sure that they remain effective and up to date.

Advances and prepayments require that amounts given or paid out are properly authorised, recorded and followed up for accountability. Their records must be thorough: the recipient must be identified, purpose established and the officer to effect the follow up must also be known and he should have the powers to effect the acquittal of the advance or prepayment. Advances include salary advances which should be subjected to the same treatment as other advances. To ensure that all the above are possible - an inspector should utilise the check list below:




Response Are registers maintained for advances and prepayments

• where are they maintained • who maintains them • are they checked to ensure that they capture all

advances and prepayments • are they reviewed by a senior and responsible

staff • are they updated on time with acquittals • are reminders sent to the staff regularly

Are the advances and prepayments properly authorised

• up to the appropriate limits • are they reviewed to make sure that they are

relevant • are they approved for the right purposes • are they applied for the right purposes after

approval

Is it possible to maintain an imprest in a place of the advances

The register should indicate the following -in respect of all advances:

• date issued • amount issued • purpose of issue, and acquittal date,

Are different registers maintained for the following: • salary advances (in accordance with Treasury

Accounting Instructions • travel advances (internal and external) • petrol and car repairs etc.

7.4.6 Payroll

This is another of the problematic areas in the quest to control public funds. It is common to be told that there are ghost staffs on the payroll of ministries and departments. It is therefore imperative that inspectors thoroughly review all transactions associated with the payroll.

These are basically to ensure that staff are paid the correct salaries, on time and that proper deductions are exacted from those salaries and are remitted to the beneficiaries on time. The check list below should assist an inspector in this regard:




Response How are staff put on or off the payroll

• who has that authority • are staff numbers properly controlled for issuance • is his authority free from corruption when it is

transmitted • does he get feedback by way of report to cross

check and ensure that staff put onto or off the payroll agree with his original authority.

Staff cards • are these maintained • are they regularly updated • are they kept safely to ensure no unauthorised

amendments • do they contain relevant and crucial data e.g.

• name of staff • staff number • date employed • date promoted • basic pay • allowances • permanent deductions

Are staff on payroll compared with the relevant establishment positions

Are salary payments in agreement with appropriations, if not what are the reasons

Are the right codes used to classify and post salaries Are computations checked for accuracy

• are unusual payments investigated for accuracy and authority

• are leave payments/entitlements approved and monitored

• are any changes to pay checked for accuracy and authority

• are differences in total salary payments between different months investigated

Are staff advances properly authorised and followed up for recovery

Are non acquitted advances recovered from staff entitlements/ salaries

Is a payroll register produced as an offshoot of salary processing

• is it checked for accuracy • filed for future reference and comparison with

payrolls of previous or subsequent months

Are salaries paid promptly and to the right staff or their bank accounts

• do staff sign for all salaries collected in person (cash or cheques)

• is their identity verified

Are uncollected salaries kept safely and re-banked if not collected by staff within a reasonable time.




• if salaries for particular staff are not collected over several months are enquiries made about the identity and actual existence of such staff

• are receipts issued for re-banked salaries • are uncollected salaries totals compared with

those salaries not signed for Are staff salary deductions checked for accuracy and sent to the beneficiaries on time?

Are all statutory deductions made in accordance with the law and remitted on time.?

Are payroll returns sent to Ministry of Public Service for cross-checking?

Are last pay certificates prepared in accordance with Treasury Accounting Instructions ?

Are payroll staff rotated from time to time? Do payroll staff have access to personnel records? An inspector in asking the above questions should satisfy himself that sufficient controls are in place to ensure that the correct salaries are paid to staff and correct deductions are made from staff salaries and paid to the beneficiaries.

Where there is some risk that the controls are weak, an inspector should satisfy himself that no loss has been incurred and then proceed to suggest remedial recommendations and ensure that they are implemented

7.4.7 Project Accounts

Projects are common in all ministries and departments in Uganda. It is important to ensure that the accounting records of these projects are appropriately maintained to the expected standards of government, donors and other stakeholders.

Projects are usually set up as a result of some agreement. The operation of the project and its accounting records should be guided by the contract. An inspector should always make sure that before he carries out an inspection, he is fully conversant with the terms of the contract.

The inspector should use the following check list when planning an inspection of a project:




Response • Establish the project identification number • Does the project have an agreement stati ng

• purpose • source of funds • objects on which funds will be expended • duration • when set up • conditions attaching to it

• Does the project have a separate bank account (s) • where is the account kept • who are its financial delegates • is 'the account active • if not active, why has it not been closed

• Has the account been approved by the Commissioner, Treasury Officer of Accounts and the Accounting Officer

• Does the project have the following in place; • are proper books of account kept • are all receipts accounted for • are payments properly authorised • are bank reconciliations done and properly

checked • are the internal controls appropriate

• Are reports regularly prepared for the project • their format and content in agreement with

contract • are they reviewed • are they audited

• Staff on the project • are they civil servants • how were they appointed • are the accounts staff properly qualified • Is there a budget • has it been properly drawn up by the relevant

authorities • is it adhered to • has it been approved

• Is some of the money invested • with prior authority • where does investment income go • is it authorised

• Check details of money paid into the account • are the receipts in accordance with the

objectives of the project • do they conform to budget expectations

• Check details of payments out of the account • are they in conformity with the objectives and

budget expectations • Does the project keep a fixed assets register

• is it up to date • Are cash balances carried forward at year end

• are accounts closed at year end • trial balance extracted • reconciliations carried out • end of year accounts drawn up


7.4.8 Public Debt

The government of Uganda ’s public debt accounting records are maintained in the treasury department. One of the divisions of the treasury department is charged with the responsibility of maintaining accounting records of the government public debt, loans and grants. Public debt, loans and grants are a major component of the government annual budget. It is therefore imperative that their records are properly maintained.

Inspectors should therefore once in a while check the accounting records of the public debt division within the treasury department. A distinction should be made between loans, public debt and grants. Public debt refers to government borrowing within the economy; loans usually refer to money borrowed from overseas; and grants are donations, usually from overseas.

An inspector should use the under mentioned check-list whilst planning an inspection of the public debt division.



Response • Is there an agreement/ contract for each loan

• has it been properly signed and executed • is it filed properly for ease of reference • Is the loan fully disbursed

• Are the loan repayments being made on time • for both principal and interest • are repayment schedules in existence • are the repayment schedules adhered to

• Are all pertinent correspondence on the loan properly attended to and filed on the correct loan file. • has a separate bank account been opened for

each loan • who are the signatories • are movements to and from the account in

accordance with the loan agreement? • Has the project which is associated with the loan

been reviewed and moni tored • Was any budget prepared f or the project

• is the loan in accordance therewith • is the budget up to date

• Are the amounts to be repaid (interest and principal) budgeted for

• Are the payments processed and remitted in an efficient and effective manner

• Is the loan information properly recorded, summarised, analysed and reported • is it possible to easily extract the loan details • due date • outstanding amount • amount repaid to date (principal and interest) • etc.




• Are the total loan figures available • have they been reconciled,

• Are the loans properly numbered • do separate files exist for loans

• Are proper returns and acc ounts made at the end of each year or end of loan period in terms with the loan agreement

• Is the loan recorded and transacted in the right currency • principal • payments

• What is the status of counterpart funds • are they readily available • are they released in accordance with the terms

of the agreement • are they hampering the success of the project

• Are the loans included in the budget • Have they received approval of Parliament

• do they fulfil statutory requirements • Are withdrawals properly approved by

Auditor/inspector General • Are proper books of account kept

• trial balances extracted • reconciliations done • accounts prepared on time

• Are the returns properly prepared and presented to • donors • government

• Are there other loans for which the government is a guarantor. • were they properly authorised • are they well monitored • are they up to dat e • has Parliament been notified of the same

• Are ministries or departments borrowings approved/notified to the Treasury Department • do they have the powers to do so

7.4.9 Procurement and Stores

Government ministries hold a substantial value of stores and fixed assets. It is the duty of the Accounting Officer to ensure that these stores and assets are economically acquired, safeguarded and disposed of in accordance with the given financial regulations and instructions. Inspectors will be familiar with the Treasury Accounting Instructions 1968 - Part II Stores. These instructions are dated and need revision but they still serve some useful purpose. The checklist below is meant to supplement the instructions. –


For purposes of this manual" stores do not include fixed assets. The fixed assets have been handled in the next module.

In planning an inspection of stores, an inspector should refer to the following check list. The check list looks at the procurement, receipt and storage, issuance and record keeping and reporting for stores. In all these steps it should be ensured that stores are safeguarded and losses thereof are rninimised.



Response Stores procurement • Who places the orders

• are they in conformity with regulations in terms of

• size of the order • where to order from -suppliers

• Who initiates the order .is it cross checked • is the budget line checked for availability of

funds • is the store checked to find out stock levels

• Once goods are received • are they checked against the order • is their condition established • is a receipt issued • are the stock records updated

• Are purchases made on time • Are they made through the relevant specialist

agencies • Is there an off icer responsible for procurement

• how does he relate to other staff • What is the procedure for handling overseas

purchases • Are local purchase orders utilised

• to whom are copies of these forms sent • Is there a file of financial delegates • Are tenders advertised -if they are within the

required values • Is the tenders board i n place • Are purchases for outstations properly handled • Are staff availed guidelines to assist them in

purchasing • where to buy from • who should authorise what amounts • list of approved suppliers • purchases from overseas or f rom in country

• If tendering is involved - were • tenders properly advertised • were applications properly received and

evaluated • was a meeting appropriately held • were the results communicated

Stores Issuance




• Are the goods stored in an appropriate environment • aired • under lock and key • away from water and fire

• When issues are made from the store • are they made by an authorised officer • is the store checked for availability of the goods • are the stock records updated

• Are the goods available in the stores • Are supplies made to other: ministries and

departments • how are they cleared • are payments made betw een them

• Are qualified staff in charge of stores • Is entry to the store restricted • Are book records regularly checked against actual

stock • What procedures are there for reporting stock loss • Are documents associated with ordering and

issuance of stores • pre-numbered • kept under lock and key

• Is stock taking done regularly • is it checked

• Is a reconci1iation made between stores requests and stores issues

• Are the forms for requisitioning and issuance of stock serially numbered

Stores Disposal • How is old and slow moving stock disposed of • Are the procedures for disposing of non useable

stock • Are boards of survey regularly carried out • Where do the disposal proceeds go

Stores Payments • Before payment is made ensure there is a

mechanism to ensure that • goods have been received • proper coding of expenditure has been done • payments are appropriately authorised • funds are available

• Are there local stores instructions/manuals which should cover the following:

• receipt • custody • issue and disposal • verification of balances • investigation of discrepancies

• Is there separation of duties; these tasks should be kept separate • ordering • checking deliveries




• authorising payments Stores Records • Does the store keep records

• are the records up to date • are they checked regularly

• Are stores receipts and issues posted immediately and balances determined

• Are corrections appropriately initialled • Ensure all procedures are properly recorded • If contracts-are involved

• are they properly tendered • registered • payments certified • necessary guarantees obtained • retention moneys held until the completion and

review of the contract for quality of work certification

7.4.10 Fixed Assets

Fixed assets have been treated separately from stores but the same procedures and controls relating to acquisition, safeguard and disposal of stores apply equally to fixed assets.

Government uses cash basis of accounting. As a result, fixed assets do not usually receive the attention they deserve. They are expensed on purchase and are not capitalised; therefore they tend to disappear from accounting records. However, fixed assets are an important component of government expenditure and therefore require monitoring and safeguard to discourage waste.

An inspector should ensure that all fixed assets are captured and recorded in a register for control and monitoring purposes. The check list below should guide him in this regard.




Response • Check to see if there is a fixed assets' register. • who maintains it • is it manually maintained or is maintained on a

computer ? • is it updated regularly ? • is it updated each year and are the opening

balances verified • where is it kept • Are the assets numbered and branded? • How are assets disposed of? • is proper authority obtained before they are

boarded-off? • are boarding-off procedures followed? • are the assets valued before disposal? • how are the sale proceeds handled? • are they duly receipted and banked ? • Are the fixed assets verified against the

register? • Review updating of process of the fixed assets

register • Are there land and buildings • where are the registers kept ? Do they have

titles • are the relevant rents and rates paid ? • Have the assets been revalued ? • by whom - qualified professional? • are relevant certificates attached ? • Is the actual existence of the assets verified ? • Has ownership of the assets been verified? • Have they been registered with the relevant

authorities • the appropriate fees been paid ? • Are movements properly recorded? • Are proper records kept of • additions • disposals • revaluations • Have the disposals been made to other

government departments?

The above check list should assist an inspector to plan the inspection of fixed assets. It is imperative that a fixed assets register is maintained as a basis for monitoring and safeguarding the fixed assets.


7.4.11 Statutory Returns

All ministries and institutions that receive government funding are supposed to lodge statutory returns regularly with the Accounting Officer and/or the Treasury Department in respect of monies received or expended by them.

The details and specifications of these returns are given in the Treasury Accounting Instructions manual. They include the following: • revenue returns • arrears of revenue • counterfoil forms • revenue stamps • safes and cash boxes

Inspectors should ensure that these returns are lodged on time and should check them for accuracy and completeness by ensuring that they are in agreement with the accounting records and books from which they have been prepared.

Inspectors should monitor the regularity by which the returns are submitted and reminders should be sent to errant ministries and institutions. If reminders are unheeded then the inspectors should visit the ministry and find out what the problem is. It may be necessary to assist the staff in compiling the returns.

7.5 Annual Accounts

All ministries and institutions that receive government funding are supposed to lodge their annual accounts with the Treasury Department. All Accounting Officers are meant to submit to the Commissioner, Treasury Officer of Accounts and the Auditor/Inspector General signed statements which include: a balance sheet, summary of revenue and expenditure and a statement of contingent liabilities. More statements which are to be lodged at year end are specified in the Treasury Accounting Instructions. In order to be able to produce the above accounts and statements accounts, books, ledgers and bank accounts are closed, the necessary reconciliations carried out and trial balances are extracted.

It is the duty of the inspectors to ensure that the records and books are properly kept throughout the year to enable extraction of trial balances which will be used to compile the accounts and statements. The format of the accounts and statements is specified in the Treasury Accounting Instructions and this should strictly be adhered to.

The accounts and statements on being received by the Commissioner, Treasury Officer of Accounts should be checked for accuracy and completeness before they are consolidated and submitted to the Auditor/inspector General's office.

7.6 Inspection of Computerised Accounting Systems

Some ministries and institutions have computerised accounting systems and those that have manual accounting systems are slowly computerising them. It is therefore important that inspectors be versed with computerised accounting systems if they are to carry out effective inspections.


The inspector will need to be familiar with the accounting system. He will have to know its component parts; the source documents; the processing and the reports it produces. The source documents and the reports are generally not problematic because these can be seen. However the processing of the data takes place within the machine and it is not visible. The inspector should therefore seek assurance that what comes out of the machine is what he expects.

He will be able to get that reassurance if he knows the various components of the accounting system. The system will usually consist of a general ledger, cash book and several other, sub-components e.g. payroll, inventory, fixed assets etc. The system should be documented and it should have user manuals. The inspector ought to be able to understand them. He should request the accounts and data processing staff to help him understand the system and how it operates. It is only after he has acquired this understanding that he can carry out meaningful inspections.

Inspection Reviews

Matters Arising


The inspector should always assure himself that the following are in place:

• The system is documented • The system has user manuals • Access to the computer is controlled through use

of physical access limitations passwords • Data is checked for correctness before it is input

to the computer through use of batches • check digits • Data once input will not be deleted or overwritten

without proper authority • All processing failures are logged and enquired

into • Backup is carried out regularly and backup files

are stored off site • Data processing staff are readily available to deal

within breakdowns • Check the output reports for accuracy


Article 8

Performance Audits 8.1 Introduction

8.2 Definitions

The INTOSAI auditing standards define performance audit as an audit of the economy, efficiency and effectiveness with which the audited entity uses its resources in carrying out its responsibilities.”

INTOSAI standards state that performance audit is an: a) Audit of the economy of administrative activities in accordance with sound

administrative principles and practices, and management pol icies; b) audit of the efficiency of using human, financial and other resources, including

examining information systems, performance measures and monitoring arrangements, and procedures followed by audited entities for remedying identified deficiencies;

c) Audit of the effectiveness of performance in relation to the achievement of the objectives of the audited entity, and audit of the actual impact of activities compared with the intended impact.

Performance auditing is an independent examination of the efficiency and effectiveness of government undertakings, programs organizations, with due regard to economy, and the aim of leading to improvements. It does not have its roots in the form of auditing common to the private sector. Its roots lie in the need for independent, wide-ranging analyses of the economy, efficiency, and effectiveness of government programs and agencies made on a non-recurring basis.

8.3 Questions Answered by a Performance Audit

• Are things done in the right way? • Are the right things being done?

8.3.1 Special Features of Performance Auditing

• Not subject to specific requirements and expectations. • Flexible in its choice of subjects, audit objects, methods, and opinions. • It is an independent examination made on a non-recurring basis.

8.3.2 Objectives of Performance Auditing

• to provide the legislature and audited entities with independent examination as to

the economy, efficiency and effectiveness of implementation of practices in certain governmental programmes and to the economy, efficiency and effectiveness of the means used in order implement it


• to identify and analyse any problems of economy, efficiency and effectiveness in

government programmes and in the field with poor performance, and thus help the Government of the audited entity to make correct managerial decisions

• to report on the programme impact and to analyse the achievement of the stated objectives. If these have not been achieved (partially or totally) the causes will be identified

• to provide the legislature or the audited entity with results of independent analyses related to the currency and the degree of credibility of stated performance indices. It also provides an assessment of the degree of liability of self-evaluation indices stated and reported by the entities developing programmes of managing public funds;

• to formulate recommendations intended to the legislature and the audited entity, based on the findings and conclusions resulted from the auditing

8.4 Concepts in Performance Auditing

Performance auditing is based on three concepts:

1) Economy- Minimising the cost of resources for an activity, having regard to proper quality.

2) Efficiency-The relationship between the output in terms of goods, services or other results, and the resources used to produce them.

3) Effectiveness- Effects compared with goals and related to the resources used to achieve these goals.

8.4.1 The Economy Approach

The auditor/inspector focussing on economy has to define expenditure correctly.

Some of the questions dealt with include; • To what extent are resources like raw materials, equipment e.t.c acquired at the

best prices and to what extent are they the right resources? • How does actual expenditure compare to the budget? • To what extent are all resources utilised? • Are the staffs often unoccupied or are they fully utilised? • Is the organization using the optimum mix of inputs (e.g. should less staff have

been employed and more money sp ent on computers)?

8.4.2 The Efficiency Approach

The auditor/inspector aiming at measuring efficiency has to start the audit by first analysing the different types of output of the ministry or department being audited.

Questions that may be used in the efficiency analysis of a particular project, ministry or department a re; • Could the project have been implemented in another way which could have

resulted in lower production costs? • Are the working methods the most rational ones?


• Are there any bottle-necks which should have been avoided? • Is there any unnecessary overlapping in the delegation of duties? • How well do the different units cooperate in promoting the common goal? • Are there any incentives for the staff involved to aim for cost reduction and to

complete the work on time? 8.4.3 The Effectiveness Approach

If the auditor/inspector is focussing on effectiveness, he will start by identifying the goals of the programme and operationalise the goals to measure effectiveness. The auditor/inspector will also need to identify the target group for the programme and search for answers to questions like;

• Has the goal been achieved at a reasonable cost and within the set time limit? • Was the target group defined correctly? • Are the objectives of managerial policy being achieved with the means used, i.e.

are the predicted results being obtained? • Are the means used and the results obtained compatible with the objectives of the

managerial policy? • Does the predicted impact represents direct results of the managerial policy rather

than one due to other circumstances 8.5 Approaches to Performance Auditing

There are two approaches;

1) The Results-Oriented Approach

This approach deals mainly with: - the performance results; - the results obtained; - the fulfilment of criteria and the observance of requirements.

In this approach there is analysed the resulted performance in the context of economy, efficiency and effectiveness by comparing the auditors/inspectors observations to the given norms (goals, objectives, regulations, standards etc.) and the audit criteria defined before the complete study begins. Auditors/inspectors may work with experts in the field in order to set up criteria that are objective, relevant, reasonable and attainable.

2) The Problem-Oriented Approach

The purpose of this approach is to deliver updated information about the problems and how to deal with them

In this type of approach; • The auditing is concentrated on problem identification, verification and analysis,

without pre-defined auditing criteria.


• The starting point is the indication of shortcomings and problems (malfunctions). • There is formulation of questions like: do the stated problems really exist? how

can they be understood and what causes them? • The auditor/inspectors formulate hypotheses on the causes and possible effects

of these problems and test them.

8.6 Performance Auditing and the International Auditing Standards

The international auditing standards that regulate the activity of financial auditing are also applied to performance auditing.

8.6.1 Common Provisions

There are common provisions related to:

- audit planning (examples: the risk is assessed in both audits); - assessment of accounting and internal control systems; - audit evidence; - audit approach; - audit documentation; - audit quality.

8.7 Performance Audit Methodology

Performance auditors/inspectors may deal with a multitude of topics and perspectives covering the entire government sector. Many methods for collecting and processing information may be used. The methodology is almost similar to that used in other audits.

8.7.1 Summary of the Methodology

1) Planning - The process of defining issues or problems to be studied 2) Audit Questions - The questions to be answered 3) Study Design - The information needed and the study to be done 4) Audit Program - The type of investigations to be conducted. 5) Data Collection - The techniques for data collection to be used. 6) Analyses - The explanations and the relationships to be explored.

Even though these steps constitute the performance audit methodology, it must be stated that a performance audit must also always be based on such issues like individual insight, experience, imagination and creativity.

8.7.2 The strategic performance audit plan • This defines the department’s performance audit programme and priorities and

the necessary personnel and resources. • It is founded on a good knowledge of audited fields, the changing environment

and the opportunities presented to the department.


• It needs to be flexible enough to allow new topics that emerge during the year to

be introduced. • Unlike a financial audit, which aims to reach an opinion on the completeness and

accuracy of financial statements and the legality and regularity of underlying transactions, with performance audit the audit institution is free to choose the audit topics and audit objectives.

8.7.3 Defining fields and selecting studies

Selecting studies includes: a) the preliminary documentation and understanding of the activity of the entity; b) identifying risks to performance; c) evaluating of parliamentary and public interest; d) choosing topics; e) Setting priorities.

8.7.3.1 Preliminary documentation and understanding of the entity’s activities

In order to achieve this purpose, the auditor/inspectors must identify the important aspects of the environment in which the entity develop its activity, mainly by collecting information related to: § The entity’s objectives; § The resources, including assets; § The incomes; § The entity’s legal framework; § The human resources from a qualitative and quantitative point of view; § The environment in which the entity operates; § The entity’s reporting obligations; § Geographic considerations; § The organisation ad structure.

• The auditors/inspectors must also seek to identify the main sources of audit

evidence. • To obtain the information and understand the entity/activity/project, the

auditors/inspectors will refer to the financial audit reports and working papers, the static plans of the entity, the business plan, the government and entity publications, reports of previous audits, and any research from the academic world.

• The information obtained may be summarised in a standard document called a “programme analysis”*. The programme analysis includes the following rubrics: objectives, inputs, processes, outputs, variables, and outcomes.

Here, the auditor/inspector;

• Identifies the outcomes the entity aims to achieve. • Looks for objectives that are specific enough to be measured. • Discusses aims and objectives with officials to clarify any ambiguities and identify

any that are unstated.


• May analyse information on entity incomes and expenditures (detailed by

programmes and elements). • There should be an ongoing survey of the governmental activities, of the

allocation of public funds and of the management of these funds. • The auditor/inspector should also identify and contact certain persons interested

with an interest in the subject matter being consider. These persons can be „key persons” from the audited clients or beneficiaries of public services having commercial relationship with the entity, experts from the academic field or researchers etc.

8.7.3.2 Identifying risks and assessing the quality of management

• This stage is fundamental. • Auditors/inspectors must take into consideration that some activities carry an

inherent risk. • There is no universal formula to establish areas with high-risk.

8.7.3.2 Factors that may warn of existence of risk § Unjustified expenditures, exceeding the provisions; § Untouched or partially touched economic objectives; § Cost increases and significant failure to meet deadlines in the case of certain

projects; § Complaints, litigations and reactions of the representatives of consumers’ groups

concerning the quality of services; § High levels of public budgetary debts; § New initiatives inappropriately founded; § Internal systems (of accounting and of control) organised or managed

inappropriately; § Significant losses due to natural disasters, theft or extravagance; § Contracts assigned without a competitive process. • The auditor/inspector should rank risks depending on their probability of

occurrence and their impact. • Auditors/inspectors should seek to identify the causes, and effects.

8.7.4 Selecting topics

To better deal with this, the auditor/inspector should ask the following questions; • Was the programme well implemented? • Were the objectives achieved? • Are the economy, efficiency and effectiveness at risk? • Will the study give something new on performance improving? • Is there the appropriate moment to perform the audit? • Is it possible to perform the study?


8.7.5 Setting priorities

The main criteria that underlay the matter priority are: • The responsibility towards the parliament and the citizens • Improving performance auditing. • Provide a balanced programme of performance audit.

8.7.5.1 Possible areas for selection

In drawing up performance audit programme it will be important to select matters that cover a large area of s tudies, such as:

• Studies performed in areas with high levels or cases of frauds or illegalities; • Studies of assessment of managerial performances in fields as: public

acquisitions, project management, service quality; • New governmental initiatives.

8.7.6 Elements of a study proposal For each study, there are 2-3 proposals after answering with “yes” to the questions presented above and after ordering them on priorities.

The study proposals must be clearly and concisely formulated in a brief notice which will include the following elements: • What the study is about (the department or the departments, processes and

resources); • The motivation of the proposal to perform the study (the existence of the risk in

performance achieving, user reasons, the analysed aspect, the parliament and public concern);

• What questions will be asked; • The main methods to obtain and analyse data and information; • What is the outcome likely to be? • What is the opinion of the entity about the study idea?

8.7.7 Planning the audit activity

• This comes after the study selection. • It involves a preliminary study and drawing up an audit plan for each selected

study. • Always perform a preliminary study before drawing up the performance audit plan. • The report on the preliminary study should confirm whether the study is well

founded and whether it should be completed. • It should also include an analysis of the context for the activities involved including

the objectives, legislative environment and the questions, criteria, and how we propose to obtain and interpret audit evidence.


8.8 Understand the entity’s activities

• The auditor/inspector should start by obtaining the information necessary to understand the entity activity.

This is achieved by:

• Visiting the entity locations. • Performing interviews with “key persons”. • Consulting experts, academics, bidders and representatives of the beneficiaries

related to the entity activity. • Understanding key systems of management and information flow.

8.8.1 Auditor’s/inspector’s role at this stage

• Gathering enough evidence to formulate questions. • Setting up criteria for performance assessment • Selecting the most appropriate methods of obtaining other reliable, relevant and

reasonable evidence. • Evaluating whether the study could improve the situation.

8.9 Deciding on the main elements of the study

• The auditor/inspector formulates “the audit objectives”, i.e. “the stated results of effects of the study” and may revise the main questions formulated in the selection stage.

• The audit objectives should improve the performance, • Questions are determined by the nature of topic and by the audit objectives. • The situation-complication technique is used to clarify the main questions of

the audit. • The term situation defines a brief description of the main study topic, including

the objectives of the audited programme or activity. • The term complication defines the problem or the problems arising out of the

situation, and is the reason for the study.

Example 1:

Situation

Study of implementing a new informatics system. To improve efficiency, a Department intended to introduce in 2001 a new computer system for which there were allocated 600 millions lei with an estimated increase of efficiency of 50 millions lei starting from the next year.

Complication

The computer system was purchased at a price higher than expected by 200 millions lei, the implementation was done 5 month later than planned and the efficiency level is lower than expected.

Question: Was the project well managed?


8.10 Analysing the main study question into sub-questions

• The main questions are divided into secondary questions. • From these, the auditor/inspector should formulate hypothesis and identify the

audit evidence that can validate or invalidate the hypothesis.

Hints

It is necessary: • to formulate questions in a logic and strict succession: • in a logic order – Were the acquisitions well planned?, Were they well done?,

Was the contract executed? • in a structured order – Is the department A efficient?, Is the department B

efficient, Is the section C efficient?, etc; • to abandon uness ential questions; • depending on objectives – Are social indemnities paid to the right people? Are the

stated quantum paid?

Example

Main question – can the purchasing of a new informatics system, assure the performance?

There are three secondary questions: 1. Did the entity done the acquisition according to the regulations in force? 2. Does the informatics system satisfy the needs of the users at a reasonable cost? 3. Did the entity survey the observance of the contractual clauses by the supplier?

Secondary question (level 2) – Does the informatics system satisfy the user needs at a reasonable cost? – may be divided in other three secondary questions. 2.1. Were the requirements for the system clearly formulated from the beginning? 2.2. Does the contractual clauses concerning the service comply with the

requirements? 2.3. Was a good price obtained?

The secondary question (level 2.3) – Was a good price obtained? Is divided in other three secondary questions: 2.3.1. Was there a correct competition for the contract adjustment? 2.3.2. Was the competitions maintained during all the contracting process? 2.3.3. Were the different forms of public acquisitions taken into consideration?

8.11 Identifying criteria

• These are the standards used to judge (evaluate) the performance achievement. • Auditors/inspectors should verify that the criteria is: § Reliable § Reasonable § Tangible § Valid, and § Based on authorised sources


• The auditor/inspector should consider both the quantitative criteria (numeral) and

the qualitative criteria (good practice in a certain field). 8.11.1 Examples of authorised sources

§ Legislation, official policy declarations, standards; § Departmental guides and regulations; § Managerial practices accepted by the departments; § Contractual requirements; § Industrial standards and other relevant indices; § Relevant performance objectives and tasks (published).

8.12 Identifying the Audit Evidence That Answers the Study Questions

• Audit evidence are documents and information collected by auditor/inspectors, in order to support findings, conclusions and recommendations included in the audit reports.

• The INTOSAI Auditing Standards state that “Competent, relevant and reasonable evidence should be obtained to support the auditor/inspector's judgement and conclusions regarding the organisation, program, activity or function under audit (paragraph 3.0.3 (e))”.

8.12.1 Role of the auditor/inspector

The auditor/inspector should; § Identify, collect and analyse audit evidence related to the inputs, process

description, outputs and effects, and to the public perceptions or opinions (for instance public opinion about public services).

§ Collect audit evidence to answer the lowest level questions, § Take into account any limits that they can find in formulating conclusions.

8.12.3 Characteristics of audit evidence

• Audit evidence is only reliable if the information and data obtained by the

auditors/inspectors is:

ü Sufficient ü Appropriate (in order to achieve the audit objectives) ü Objectives ü Reliable

8.12.4 Considerations in assessing reliability of evidence

• Audit evidence from sources external to the audited entity are much more

consistent than ones placed inside the entity; • The audit evidence obtained as documents are more consistent than verbal (oral)

ones;


• The audit evidence directly obtained by the auditor/inspector are more consistent

than those indirectly obtained; • Oral audit evidence corroborated with written evidence are much more consistent

that isolate oral audit evidence; • The corroboration of obtained is a secure technique to consolidate their reliability; • The original documents are more consistent than copies, but if the original

documents are copied by the auditor/inspector, then he must note the source and the date of photocopy.

8.12.5 Types of audit evidence

• Audit evidence is: Ø Used to demonstrate whether the management and the personnel of the

audited entity perform its activity according to the operative principle stated by policies and standards adopted, used the resources in an economic, efficient and effective way.

Ø Instrumental in protecting the audited entity in its relationship with other entities.

Types of audit evidence include; a) Physical audit evidence

• Obtained by direct observation of the persons and events • Takes the form of photos, diagram, and graphical maps and other forms and

representations. b) Oral audit evidence

• Takes the form of declarations, which fervently are answers to interviews, opinion tests etc.

• The declarations are usually obtained from the entity employees, the beneficiaries of the audited programme, experts and special advisors hired to give support in providing additional evidence and even from the representatives of the public opinion.

How Declarations are consolidated as audit Evidence

This is done by: • Getting a written confirmation from the person interviewed; • Soliciting independent sources that relate similar facts; • Subsequent verification of recording.

The sincerity of the persons interviewed their position inside the entity, their level of knowledge and the desire to collaborate determines the relevance of such evidence.

c) Testimonial audit evidence

• Is obtained through documents. • It can be presented in written or electronic form. • Evidence by analysing:


§ External documents such as: letters and memoranda received by the

audited entity § Inquiries from suppliers § Leasing contracts, other contracts § Reports of external auditor/inspectors, other reports § Confirmation letters from third parties. § Internal documents (issued by the entity), i.e. accounting, external

correspondence, entity description, budgets, internal reports, static synthesis of the activity carried out by the entity, internal policies and procedures.

d) Analytic evidence

• Obtained by verifying the explanation and the analysis of data related to the

activities on implementing a programme by the audited entity. • The analyses mainly suppose: assessments (evaluations) of indices and

trends obtained from the audited entity and from other sources. Logically these indices and/or trends are compared to the recommendations of standards applicable in the field or of certain technical guides (if the case stands).

• Usually numeral (i.e. assessment of the result of using resources or the ratios of budged expended), but they may also be not numeral (i.e. noting a growing trend of a certain type of contestations in the audited entity).

8.12.6 Selecting the methods to obtain and analyse audit evidence The audit evidence may be obtai ned by:

§ Visiting the locations of the audited entity in order to analyse the different

documents existing in files or to perform interviews with key persons. § Sending letters or addressing questionnaires that include a list of questions on the

audited matter. § Analysing a representative sample.

Analysis of files

• The auditor/inspector should use professional reasoning when choosing the most

appropriate methods and techniques to obtain audit evidence. • Analysis can be by:

Observation By studying the general behaviour of the entity personnel one can obtain information related to: § sensitive problems, § the management ethics and § the relationship between the entity personnel and the public/beneficiaries of

public services.


• Auditors/inspectors should only choose those activities which will be directly

observed, by selecting activities appropriate for observation and that are representative for the audited field.

• Auditors/inspectors must obtain behaviour similar with auditees’ behaviour. In such situations the auditor/inspectors will refer to the quality management of the entity in order to obtain the approval for using this technique.

• Photos, video or audio recording give value to direct observations.

Using Questionnaires

• Are used to highlight facts or opinions • If the entity has regional locations, then questionnaires are sent by mail, but

the inconvenience is that those who are interviewed may not answer, complete it with errors or it may be late.

8.13 Selecting the Methods of Interpreting Audit Evidence

In performance audit the audit evidence can the explained by using the following methods: § by fulfilling tables and designing graphical representation in order to summarise

quantitative data and information; § calculation of performance indices (cost on product unit, income produced by

each person); § drawing up and anal ysing diagrams; § analyse the relationships between variables; § describing and analysing process in a flowchart; § Fulfilling a matrix and performing a comparison between criteria and conditions.

8.14 The Preliminary Study Report

• This shows the motivation and the procedure that the auditor/inspector intends to use to perform the study.

8.14.1 Contents of the report

a) The study scope and costs and the estimation of the publishing moment; b) The analysis of the context in which the activities of the entity proposed for audit

are carried out, including the auditing objectives, the updated results and the legislative framework;

c) The risk analysis in achieving the performance; d) The audit objectives (stated impact and audit effect).


8.15 Summarising, Analysing and Interpreting Audit Evidence

8.15.1 Summarising data and information

The auditor/inspector can use any of these methods:

F Tables – statistical data, results of observations, responses to close questions of

questionnaires; F Coding (ordering by topic and ideas) of the narrative information, results of

documents analysis, notes during the interviews and focus groups and responses to open questions of the questionnaires.

• After summarising the audit evidence, the auditor/inspector should perform an

assessment so as to ascertain the consistency. • Data and information are coded depending on topics and ideas, so that the

auditor/inspector may perform comparisons and other analysis. • Matrix and diagrams will be used to summarise data and information of a process

in order to interpret them.

Contract Entity A B C D E F Were tenders invited to send offers? √ √ X √ X √ Was the specification drafted?

X √ X √ √ √

Was a contracting collective created? √ √ √ √ X √ Was a project manager appointed? √ √ √ √ √ √

8.15.2 Analysing causes and effects

• This is after audit evidence has been summarised and analysed.

• The auditors/inspectors start their interpretation using a procedure that takes into consideration four main elements:

§ Criteria: What should be? § Condition: what is, i.e. the entity’s activity, outputs and/or effects?

8.15.3 Studying the causes

• A process-effect matrix is used to understand how a certain process determines

and influences the effect. • A matrix is used to:

- Describe audit evidence which sustain that the effect is induced or influenced by the process;

- Describe audit evidence which does not sustain that the effect is determined or influenced by the process;

- Test relations process-effect, in case of audit evidence which generate doubts.


8.15.4 Studying important effects, and the relation cause-effect.

• The auditors/inspectors must identify and analyse the most important effects,

which will compare to costs and benefits of programmes of with other unintended effects.

• The auditor/inspector can phrase a conclusion if he finds out that the cause and the effect appears recurrently while implementing a process or carrying out an activity.

• Usually, one or more findings can sustain one conclusion, and one or more conclusions ground a recommendation.

• If auditor/inspectors find out that the cause and the effect are recurrent, they must formulate conclusions and recommendations. Generally, the findings sustain conclusions, and one or more conclusions are the basis to formulate a recommendation.

8.16 Documentation

The auditors/inspectors have to appropriately document audit evidence (the results of the analysis) in order to sustain conclusions and to confirm that the audit was performed according to the standards of performance audit.

An appropriate documentation is important if we take into account that it: § confirms and sustain auditors/inspectors conclusions and recommendations; § increases the audit efficiency and effectiveness; § serves as source of information in the stage of drawing up reports and can

give answers to any questions of the audited entity or of thirds; § serves as evidence of the audit compliance with auditing standards in force; § contribute to the auditors/inspectors training; § sustains and sometimes provides defence evidence in case of litigates,

actions; § assure the recording of the activity carried out for further references; § Facilitates the control activity and assure the audit quality. A detailed and strict documentation is a premise to maintain an acceptable level of auditing, if the following considerations are taken into account:

§ It is necessary to exist an appropriate, defensive basis for the audit opinions

expressed in the report; § Allows the auditors/inspectors to more consistently explain to the legislator the

findings resulted from the performed audit; § Ensure an effective connection between successive audits; § Provides a basis for the audit quality control.

8.17 Reviewing the Evidence

The auditor/inspector-in-charge will analyse whether the plan of collecting audit evidence has been achieved, whether answers were obtained to all study questions and whether the results were well documented. They will approve the documents analysed.


8.18 Reporting

• Every performance audit mission should culminate in drawing up a report. • These reports offer independent information, solutions and assurances

concerning the economy, efficiency and effectiveness of public funds use by the audited entities, (even if it refers to past events), because by key messages can give a vision of the future. In this context, it is important that the information of reports be clear and documented.

• To draw up the audit report, the auditor/inspectors draft in the first stage a plan of the report. On the basis of this plan the auditor/inspector will write the report, and edit it.

8.18.1 Report content

Performance audit reports generally include the following elements: § report title; § the syntactical presentation of the context of development of activities submitted

to the auditing, including the institutional context; § the objectives of the activity of the audited entity and the analysis of the

perspective analysis related on efficiency, effectiveness and economy, details necessary in view to support the audit objectives;

§ the description of methodologies used in collecting and analysing audit evidence, by précising their sources;

8.19 Criteria Used to Assess Performance

• Audit findings considered relevant for the report consignees and users; • Conclusions on the audit objectives; • The recommendations, logically based on the conclusions.


Article 9

Systems Audit

9.1 Manual Purpose and Contents

System Audit execution within the overall internal audit framework is dealt with in this manual. Framework and objectives to be achieved by the Internal Auditor/inspector are defined. The purpose of this manual is to provide an overview on main tools to be applied for an objective assessment and evaluation of auditee's activities within the system audit.

9.2 Basic Terminology

Adequate control and management mechanisms are in place if the management plans and organises in a way that would provide an adequate certainty that goals and objectives of an organisation shall be achieved in an effective and economic way. The process of establishing the systems starts by setting goals and objectives. Mutual links of the concepts or people operating together follow so that the goals and objectives set are achieved. If the system project is correct, activities should be implemented according to the plan and the results envisaged should be achieved.

Adequate certainty is in place if the adequate measures are adopted to limit biases and deviations down to the tolerance level. That means that while projecting the systems the management shall consider the ratio of the resources spent to the benefit to be achieved. The term “adequate certainty” shall mean that the absolute certainty can not be ensured by internal control, yet the procedures are in place that are as efficient as possible, to handle the risks “adequately”.

Performance shall indicate that the scope of internal control is very broad and that it refers not only to financial aspects but also to the quality of financial information, organisation's growth, improving its profitability or efficiency at the costs as low as possible, improvement of social environment, etc. In such a case, it is not a mere adherence to legislation or internal rules of organisation but specific measures adopted to ensure protection of organisation against any impact, threat or hazard of any type.

Potential loss associated with any demonstration of risk; measured by costs needed to make the risk under control.

Effective performance shall mean to achieve goals and objectives accurately and on time with minimal resource spending.

Economic performance shall mean to achieve goals and objectives at costs proportional to the risks. Economic performance aspect also shall be included in the term “effective”.


Operation shall mean a repeated activity of an organisation with the objective to produce a product or deliver a service. Activities may include marketing, sale, purchase, manufacturing, human resources, finances, accounting and Government support. The results of activities carried out shall be compared with the goals and objectives set covering budgets, time, financial or operational plans.

Program shall mean a repeated operation of an organisation of a special purpose. It includes capital acquisition, equipment sale, promotion events to attract financial resources (ways how such financial resources are collected), period of more intensive activity when introducing new product, new service, capital expenses and targeted Governmental subsidies. Once accomplished, the program usually ceases to exist. Programme results are compared with the programme goals and objectives set.

9.3 System Audit General Description

System audit includes:

r To execute a continual analysis of a central authority and organisations reporting to it monitoring thus a correct organisation management, at the same time to propose appropriate recommendations and measures to the management

r To verify reliability and appropriateness of information system at the organisation r To audit correctness of development policy implementation, standards and

instructions of the organisation management r To monitor and revise financial control executions at all levels of activities of the

organisation and in all its structures and systems r To inform the management on any irregularities or deviations found out with

recommendations how to eliminate them r To evaluate and ensure that all of the organisation's resources both, human and

material ones, are applied adequately to achieve the best possible results r To pay special attention to the new management trends and systems, to

contribute to establish environment open to the new changes and nature of team work

r To conduct special studies and economic overviews on environment in which the organisation occurs.

Minimal scope of the internal auditor’s/inspector's work includes:

1. Examination and evaluation of adequacy and efficiency of management and control mechanisms and performance quality while implementing the functions assigned – while assessing the system adequacy (for instance, process, operation, function or activity; it is an arrangement, set or selection of concepts, activities or employees in some relationships with the purpose to achieve goals and objectives) of internal management and control mechanisms; system audit is to examine whether or not the systems established provide adequate guarantee that the goals (general statements on what the organisation seeks to achieve. Goal setting is followed by objective setting and development, operation and maintenance of the systems where the purpose is to implement goals and objectives of the organisation concerned) and objectives (specific intentions of specific systems; it is necessary to indicate them as operational or program intentions or objectives, standards operated, performance


degrees, objective plans or results projected / expected) are implemented in an efficient and economic way.

2. Information reliability and integrity – information systems provide data for decision making, management and control. In the framework of a System Audit Internal Auditor/inspectors should assess reliability and integrity of financial and operational information and resources used to identify, measure, classify and report such information.

It is therefore important to examine whether or not:

r accurate, reliable, time, complete and helpful information is contained in financial and operational records

r record keeping and reporting are verified by management and control mechanisms and whether or not they are adequate and efficient.

3. Compliance with the principles, plans, procedures, laws and provisions – Internal Auditor/inspector is to examine whether or not these systems are adequate and efficient and whether or not they comply with the above relevant requirements.

4. Property protection Internal Auditor/inspector is to assess whether or not the tools used for property (asset) protection are secured against different types of damages such as theft, damage, incorrect or illegal activity, and/or exposition to natural disasters.

5. Economic and effective resource spending – within this type of Internal Audit the Internal Auditor/inspector is accountable for determining whether or not

r internal standards for measuring the economy and effectiveness have been set r internal management acts established have been understood correctly and are

followed, whether or not any deviations have been identified, analysed and communicated to people responsible for their remedy

6. Implementation of the goals and objectives set for operations or programmes – System Audit should find out whether or not any criteria have been set for this field. If yes, their adequacy should be assessed. If such criteria are not adequate according to the Auditor/inspector's opinion, the whole case should be communicated to the competent management level and alternative source of criteria should be recommended such as:

r Norms and standards recognised r Standards developed by professional or other associations r Legislation, Government resolutions (Government regulations)

Following objectives shall be met by proper accomplishment of the above assignments through the System Audit conducted: r efficient internal control which will be neither paralysing nor bureaucratic, however

not of a centralistic nature r achievement of a good organisation operation, its operation systems and

adequate use of resources


r assurance of policy, standards and management instructions implementation r continual improvement of management of organisation r on going information communication to the management and finding out any

irregularities and also proposals of relevant measures for their elimination r to verify how the recommendations and measures approved by responsible

employees upon auditor/inspector's proposal are implemented by a range of organisation's departments

r support of the necessary changes undertaken and encouragement of staff to adapt to the new systems.

9.4 Assessment Effectiveness of Internal Control System

Internal control is the process identified to ensure adequately that the specific objectives are achieved in the field of accountability, efficiency and effectiveness of operations, reliability of financial reports presented and compliance with the laws and regulations applied. Efficiency of an internal control system is a process where the objective is to have a reasonable assurance that all of the organisation's objectives shall be achieved. One of the crucial aspects of an audit is to enhance the organisation's environment by:

r strengthening the awareness about organisation's objectives and the role of internal control while achieving them

r motivating staff to propose and implement control processes carefully and r continual improving control processes.

Regardless of quality of procedures established, internal control may only be executed upon a precondition that the two aspects below are met by the organisation concerned:

1. clear and unambiguous role separation between employees of the unit concerned; prerequisite for that is function-separation principle reducing the risk of fraud, mistake or neglecting, organisational chart sufficiently detail has to be in place and administrative and accounting procedures available in writing

2. competent and coherent staff shall mean that employees are honest and adhere to the ethics within the organisation which is a crucial factor for assessing the internal control environment. Management involvement plays a crucial role when introducing rules of ethics in public organisation.

Objectives of internal control system include:

r finding out any deficiencies, weaknesses r enhancing quality in control activities (areas) r better overview on control systems in particular units (departments, workplaces) r management co-involvement in control system verification r transparency of standards used for organisation management


Objective of the internal control system is to detect any deviations from the goals set by organisation and minimise any potential “surprise”. Furthermore, control enables management to face any potential risks within speedy development of economic environment and competition, guarantee stability (reliability) of financial conditions and adherence to legislation. In the framework of internal control system anybody in the organisation has responsibilities. All employees play some role in activities control, resource spending and way of how their particular work is carried out. Staff, at large, has to be responsible for any of the problems at work, any non-permitted deviations from standard or breach of legislation or activities concept to be communicated.

Within the overall system audit execution one of the crucial aspects is to evaluate internal control system. Following should be taken into account by the Auditor/inspector:

r any potential mistake which may occur r control procedures which may be of a preventive nature or to detect the mistakes r whether or not control procedures have been established r any shortcomings of control system established leading potentially to mistakes r effects of such shortcomings affecting the scope, duration or magnitude of audit

procedures to be focused on control mechanism.

Methods applicable for evaluation of internal control system include:

r questionnaire regarding internal control system (see Annex 1). Questionnaire should be structured in such a way that a negative response indicates any potential shortcoming of the control system

r verbal description of a control system r flow chart

Following is the crucial knowledge of an Internal Auditor/inspector in this context:

r knowledge about control system of an organisation r knowledge about risks and risk management r internal audit procedures and techniques r familiarity with information technologies r resource management r knowledge about organisation and its activities r strategy management r managerial procedures r familiarity with the environment in which the organisation concerned operates r financial management r social patterns effective in the given time period.

Since internal control system is a process, its efficiency shall mean a state in a given moment in time. The role of an Internal Auditor/inspector is to asses all components of internal control as follows:


r control environment setting the way of operation of an organisation and

determining employees' relationship to control. It constitutes a basis for all other components including structure and discipline. Control environment factors include integrity, ethic values and capabilities of staff, management philosophy and style, way of delegating powers and responsibilities, way of how employees are organised and developed professionally

r risk assessment: any organisation is to face a range of external and internal risks that have to be assessed. Preliminary condition of assessment is to identify objectives at different levels and in their mutual links. Risk assessment shall mean that relevant risks are identified and analysed to achieve the objectives and shall be used as a basis for identification of a way how such risks are to be managed

r control activity shall mean procedures assisting in meeting the management instructions. They assist in assuring that tools necessary for risk control are really applied in link with achieving the organisational objectives

r information and communication –where information has to be identified, collected and forwarded in an appropriate form and deadline enabling thus every employee to fulfill his/her responsibility. Within the information systems messages are created containing operative information, financial data and data on meeting the standards which enable to manage and control activities in a suitable manner. Information systems do not work with information only that has originated within the organisation concerned but with the information also referring to the external events, activities or conditions relating to decision-making and for information sharing with the third party as well. There must be a sharing efficient in a broad sense, flowing to all of managerial levels through all units and departments including both, bottom-up and top-down flows. Employees have to understand what their respective roles are, in the internal control system and what their individual activities are, in common with the work of others. On the other hand, it is necessary to use the tools for transfer of important information up, to the higher levels and also, how to manage effective communication with the third party.

What cannot be achieved by internal control:

r success of an organisation is guaranteed by a control, i.e. at least it ensures that the basic objectives are achieved or an organisation sustains. However, control, itself, can hardly help to achieve the objectives set. Control may provide information for management regarding the overall development of organisation to achieve the objectives, however, it can not ensure that a poor manager changes to a good one! Similarly, changes in the Government policy or economic environment may remain beyond the scope of management control. Internal control can not ensure success neither sustainability of an organisation

r reliability of financial information and compliance with relevant legislation is ensured by control. However, it can only provide a reasonable certainty, not an absolute one! Success opportunities are subject to limitations inherent to any of the internal control systems. Such limitations include an undeniable fact that any effort which decisions are based on may be wrong and may lead to failures due to mistakes or errors made.


Internal control is not made up by one single event or circumstance; it comprises of several actions covering all activities of an organisation. Such actions are present everywhere and are independent from management.

Management processes implemented within an organisation and their functions are co-ordinated by management process phases including:

– planning – performance – monitoring

Internal control shall be a part of the processes above and shall be integrated in them, assisting to their adequate operation, monitoring and applicability at any time. It shall mean a helpful management tool, however it shall not replace it.

Internal control system is linked with operative activities of an organisation. Internal control shall be much more efficient if included into the infrastructure of an organisation and constituting thus part of its heart of the matter. It must be incorporated not only by its formal inclusion. Internal control inclusion may affect directly the ability of an organisation to achieve its objectives and at the same time support its initiatives from the quality perspective.

Considering the control concept the objectives are classified as follows: 1. Efficiency and effectiveness of operations - shall mean that resources to protect property (assets) shall be assessed and economy and efficiency of resource spending evaluated. 2. Reliability of financial statements – shall mean assessment of reliability and integrity of financial and operational information. 3. Compliance with valid legislation and regulations – shall mean that systems to ensure compliance with main principles, regulations, etc. shall be assessed.

Internal Control Assessment

Justification of assessment by an internal auditor/inspector

r no audit of operations that would be really “detail” one can be conducted neither sufficiently representative sample of such operations can be taken, except for very small organisational units

r opinion that “all” entries have been made in the accounting books can not be made without relaying on internal control procedures

r some of the verification tests of operations can only be conducted if an Internal auditor/inspector adopts procedures enabling him/her to asses correctness of documents “demonstrated” which may be presented to him/her managerial employees can not verify by themselves that relevant procedures and decisions have been applied

r many of the procedures which are not of a strict accounting nature, contribute to reliability of financial statements


r quality of budgetary control and management control shall be enhanced by reliable internal control

r in the field of an on-going monitoring and management of liabilities and commitments of an organisation, continuity of an operation can be assessed by an internal auditor/inspector through efficient management tools

r on-going monitoring and collection of reliable information on liabilities received regarding expenditures shall enable to control continuity of costs accounted in last month of an accounting period and to confirm thus correctness of separation of respective accounting periods

r quality beyond the accounting information (reports, business records, various records, statistics, etc.) shall enable to an internal auditor/inspector to become assured in his/her understanding of economic conditions of an organisation as results from analysis of accounts.

Assessment Criteria

Assessment has to be conducted in phases:

r acquaintance with procedures – does not mean a detail or complete description of a procedure examined but to find out main elements to be identified as those elements contributing to audit reliability or which, on the other hand, represent weaknesses. Relatively standard elements encountered with in most of organisations or boards of directors can be included. For instance, in the field of order processing it is necessary to verify whether or not following assignments have been separa ted thoroughly:

– delivery – invoicing – payment

r procedure descriptions – description available within an organisation should be used preferably such as: – detail description – flow chart

The following has to be taken into account in system description:

r reliable partners for discussions have to be selected, who are familiar with procedures to be verified

r to much details have to be avoided. However, more time shall be needed to produce such description which may become a barrier for acquiring sufficient overview on the matter

However, detailed description may be necessary:

r for the purpose of activities or comprehensive part of activities r to meet the objective of a board of directors to have a model of its procedures

available for instance for informatisation, mainly if such information refers to information systems that are common for more boards.


In practice, it is a matter of:

r elaborating schematic and brief description of a procedure (list of main participants and description of their respective assignments)

r a description of key elements of procedure which may be identified upon reflecting related risks and through an internal control questionnaire where auditor/inspector's statements shall be recorded (responses to the questions in questionnaires) referring to the procedure upon examination

r compliance or understanding tests – enable to make sure that the procedures and key elements established have been understood. The tests include:

r tests of link-up and sequence to track the whole course of procedure upon some selected operations

r specific tests focused on some particular procedural elements which are not clear enough

r return to the employees concerned by describing their respective operations and asking them to provide explanation. Advantage of such procedure is its simplicity and involvement of more employees which, at the end, shall mean a guarantee that no element is neglected or forgotten.

9.5 Audit of Operations

This type of audit action can be described as a formal and systematic verification conducted by qualified professionals to identify to what extend an auditee accomplishes particular objectives set by management and to find out room for improvement. Therefore within the audit of operations an in-depth study of an auditee is to be conducted focused either on a particular department and function or on activity, methods, systems and utilisation of equipment and human resources. Objective is to assist management to achieve more efficiency through detecting defects or irregularities and recommending appropriate measures which must be feasible in the context of organisation's objectives and policy.

Audit of operations must be an independent and objective exercise implemented by staff specialised in the field of audit, and according to the goals set before. It may be a survey of sets of auditee's activities or functions, and/or part of them, while the current level of internal control and adequacy of procedures and systems applied in an audited area are being verified. Comparison of audit of operations with financial audit

There is whole bunch of similarities between financial audit and that of operations. In the essence, one can say that both of them represent a need to say some opinion backed duly and based on facts detected and formulated from the position which does not depend on auditee's functional structure. Within an Internal Audit methods and procedures are assessed from the perspective of compliance with some requirements and principles, however not from a perspective of person concerned. Financial audit and that of operations meet frequently in using accounting as an information and verification resource. Anyway, what distinguishes these two audits is the objective.


Financial Audit – is to verify operations authenticity, accuracy and compliance with the organisation's standards and policy set. It seeks to have a coherent (rational coherence, mutual knits) approach of an internal control to ensure integrity of auditee's assets.

Audit of Operations – is to improve management of audited areas. Therefore its role is to point out any shortcomings preventing from proper activity and produce recommendations for their remedy to come to the improved situation.

Financial audit programme (plan) is standardised. It includes audit objectives and internal control questionnaires necessary to collect basic information so that the program components are accomplished gradually.

In case of an audit of operations it is necessary to compile for each of the areas or functions audited a specific programme (plan) according to the auditee's characteristic feature and its internal policy. While a financial audit detects a failure to comply with some of accounting standards or principles, its immediate recommendation has to point out the obligation of its compliance. Recommendations formulated within an audit of operations are not mandatory as they do not result from principles of their obligatory adoption and are backed only by rational contemplation and common sense. Recommendations referring to the failure to comply with standards and management instructions are the only exception. During this type of audit the Auditor/inspector has to be very creative to verify situations from the management perspective.

Within such perception of audit of operations the workplace of internal audit actually becomes management's “extended arm” which has given their authorisation to an auditor/inspector to carry out his/her work.

Any audit of operation may only be implemented if its methodology and requirements are known.

Internal Auditor/inspectors conducting audit of operations have to know the principles and rules of financial management and should possess an accurate and comprehensive knowledge of managing the auditee concerned. Quality audit of operations can only be conducted by internal audit units equipped for such action with staff and degree of independence and have some level of prestigious position and are acknowledged.

Objective of this type of internal audit is to endure that functions of the systems, processes and mechanisms of management are the best possible. Therefore, all units, including management, have to keep in mind that the elements of any system are gradually “worn-out” and procedures may become obsolete and structures affected by ravages of time. Organisation can always be improved and enhanced.

Basic issue emerging during the audit of operation execution is a total lack of standard rules, procedures or programmes as each organisation is different and has its own characteristic nature. Auditor/inspector, on the other hand, shall not be (and he/she even does not need to be!) an expert on every single field or activity audited. He/she has to rely on systematic survey leading to his/her knowledge of specific


methods, systems, processes and control mechanisms in each of the areas, activities, functions or departments to be audited.

Audit of operations shall be tied up with an analysis of:

efficiency and effectiveness – audit shall focus, for instance, on:

r an inconvenient organisational chart r unnecessary actions or activities r complicated information flow r inappropriate working methods, procedures, etc.

objective achievement – audit shall focus on:

r level of achieving the objectives r planning system to plan realistic objectives r factors reducing the value of a result achieved, etc.

economy - audit shall focus on:

r any resource wasting and whether or not control mechanisms are in place to prevent from the wasting

r whether or not unnecessary expensive equipment is used r any labour force wasting in units or at operations

To expand the audit of operations would mean that the following factors that become subject of auditor/inspector's interests are reflected:

r Equity – to assess results of operations in relation to the environment so that no discrimination neither unfairness occurs – to work correctly

r Environment – to assess operations and their results in relation to the working and natural environment

r Ethics – to assess correct and moral behaviour of management and employees – to work morally.

Core of the internal audit is related to the audit of operations where the objective is to enhance efficiency of organisations. Audit of operations is to verify whether or not an auditee carries out the activities properly, using a proper way, in a cost-effective manner, whether or not an auditee behaves in an ethic way and has responsible


Article 10 Information Technology Audit

10.0 Introduction

Information and technology that supports it represent the organisation’s most valuable assets. In today’s rapidly changing environment, management have heightened expectations regarding IT delivery functions – management requires increased quality, functionality and ease of use, decreased delivery time and continuously improving service levels – while demanding that this be accomplished at lower costs.

There are numerous changes in IT and its operating environment that emphasise the need to better manage IT related risks. Dependence on electronic information and IT systems is essential to support critical business processes. Additionally, the regulatory environment and best practices call for stricter control over information and IT due to the increasing disclosures of information system disasters and increasing electronic fraud. The management of IT related risks is now considered as a key part of an organisation’s governance. The onus is on the internal auditor/inspector, to plan and adequately review IT systems in use and report to management on IT risks and how to mitigate them.

Many Ministries, Government departments and processes, etc… are increasingly becoming computerised. The Ministry of Finance, for example, has implemented the Integrated Financial Management System (IFMS) to improve on the quality of financial management and decision making. Automation, however good, comes with specific risks. Specifically, it replaces manual processes and controls (checks and balances) with programmed ones. These risks place a great responsibility on management, internal and external auditor/inspectors and staff to continuously monitor automated processes and manage such risks

The major concern that all auditor/inspectors must bear in mind before undertaking any audit assignment is that of risk. All audit findings must take into account the level of risk to the business associated with the finding/s. The issue is therefore to consider the risk to the organisation associated with the use of Information Technology (IT). If the organisation’s core business processes are automated, then it is as good as its IT, since failure of its IT system may result into failure of the business as a whole. Consequently, the Internal Auditor/inspector must understand the organisation’s business environment and plan the audit accordingly. The Integrated Financial Management system is a good example of process automation. Conversely, the success of the Ministry is more and more dependant on its IT system/s. This chapter discusses a simple approach for auditing in an IT environment, covering key areas of audit planning, step-by-step IT audit procedures, risk assessment and reporting. The key issue is to understand IT best practices and the organisations’ business environment, processes and controls.


Internal auditors/inspectors should ask the following questions; • What do we mean by IT controls? • Why do we need IT controls? • Who is responsible for IT controls? • When is it appropriate to conduct IT controls? • Where exactly are IT controls applied? • How do we perform IT control assessments? The audit process provides a formal structure for addressing IT controls within the overall system of internal controls. The internal auditor/inspector’s role in IT controls begins with a sound conceptual understanding and ends with providing the results of risk and control assessments. Internal auditors/inspectors interact with the people responsible for controls and must pursue continuous learning and reassessment as new technologies emerge and the organization’s opportunities, uses, dependencies, strategies, risks, and requirements change.

10.1 Understanding IT Controls

Internal control is defined as: “A process, effected by an organization’s board of directors, management, and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the categories below;

• Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations.

IT controls include those processes that provide assurance for information and information services and help mitigate the risks associated with an organization’s use of technology. The controls range from written corporate policies to their implementation within coded instructions; from physical access protection to the ability to trace actions and transactions to the individuals who are responsible for them; and from automatic edits to reasonability analysis for large bodies of data.

10.1.1 Control Classifications Controls are classified to help understand their purposes and how they fit into the overall system of internal controls. Understanding of the classification will help the auditor/inspector in answering key questions like; • Are the detective controls adequate to identify errors that may get past the

preventive controls? • Are corrective controls sufficient to fix the detected errors?


The following are the classifications of IT controls;

1) General Controls (Infrastructure controls)

This applies to all systems components, processes, and data for Ministry of Finance. General controls include; • Information security policy • Administration, access, and authentication • Separation of key IT functions • Management of systems acquisition and implementation • Change management • Backup • Recovery and business continuity

2) Application Controls

These are concerned with the scope of individual business processes or application systems.

Application controls include; • Data edits • Separation of business functions (e.g. transaction initiation versus

authorization) • Balancing of processing totals • Transaction logging • Error reporting

Controls are further classified as;

a) Preventive Controls

These prevent errors, omissions, or security incidents from occurring.

They include; • Access controls that protect sensitive data or systems resources from

unauthorised people • Antivirus software • Firewalls • Intrusion prevention systems

b) Detective Controls

These detect errors or incidents not curtailed by the preventive controls.

They include; • Identifying account numbers of inactive accounts • Identifying accounts that have been flagged for monitoring of suspicious

activities


• Monitoring and analysis to uncover activities or events that exceed authority limits

c) Corrective Controls

These correct errors, omissions, or incidents that have been detected. They include; • simple correction of data entry errors , • Identifying and removing unauthorized users or software from systems or

networks • Recovery from disruptions or disasters

To simplify correction, it is more efficient to prevent errors or detect them as close as possible to their source.

The controls should also be subject to detective and preventive controls, because they represent another opportunity for errors, omissions, or falsification.

10.1.2.1 IT Controls

1) Policies

Clear policy statements regarding all aspects of IT should be devised and approved by management, and communicated to all staff.

Examples of IT policy statements include; • A general policy on the level of security and privacy throughout Ministry of

Finance. This should be consistent with all relevant national and international legislation and should specify the level of control and security required depending on the sensitivity of the system and data processed.

• A statement on the classification of information and the rights of access at each level. The policy should also define any limitations on the use of this information by those approved for access.

• Clear distinction of the parties with the authority to originate, modifies, or delete information.

• Personnel policies that define and enforce conditions for staff in sensitive areas. This includes having employees sign agreements accepting responsibilities for the required levels of control, security, and confidentiality. This policy also includes related disciplinary procedures.

• Definitions of overall business continuity planning requirements. The policy should ensure that all aspects of the business are considered in the event of a disruption or a disaster.


2) Standards

Standards enable the organization to maintain the whole operating environment more efficiently.

There should be standards on issues like: • Systems Development Process This looks at the processes for designing, developing, testing, implementing,

and maintaining systems and programs. • Systems Software Configuration Systems software provides a large element of control in the IT environment.

The way operating systems, networking software, and database management systems are configured can either enhance security or create weaknesses that can be exploited.

• Applications Controls All applications that support business activities should be controlled. • Documentation Standards should specify the minimum level of documentation required for

each application system or IT installation, as well as for different classes of applications, processes, and processing centres.

3) Organization and Management

Issues to look at include; • Separation of duties This is a vital element of many controls. The structure should not allow

responsibility for all aspects of processing data to rest upon one individual or department.

The functions of initiating, authorising, inputting, processing, and checking data should be separated so that no individual can both create an error, omission, or other irregularity and authorize it or obscure the evidence.

4) Physical and Environmental Control

All equipment must be protected. This includes servers and workstations that allow staff access to the applications.

Some physical controls include; • Locating servers in locked rooms to which access is restricted. • Restricting server access to specific individuals. • Providing fire detection and suppression equipment. • Housing sensitive equipment, applications, and data away from

environmental hazards like low lying- flood plains or flammable liquid stores.

Under this, serious consideration should be put on contingency planning. Questions to ask include; • What will the organization do if there is a fire or flood, or if any other threat

manifests itself?


• How will the organization restore the business and related IT services to

ensure normal processing continues with minimum effect on regular operations?

5) Systems Software Controls

Through system software products, application systems and users are able to use the organization’s IT equipment. Software products include: operating systems like Windows, Linux; firewalls, antivirus products, and database management systems like Oracle.

The following controls should be in a well managed IT environment;

• Access rights allocated and controlled according to MOF’s stated policy • Division of duties enforced through systems software and other

configuration controls • Intrusion and vulnerability assessment, prevention, and detection in place

and continuously monitored • Intrusion testing performed on a regular basis • Encryption services applied where confidentiality is a stated requirement • Change management processes

6) Systems Development and Acquisition Controls

All applications should perform only those functions the user requires in an efficient way. By examining application development procedures, the auditor/inspector gains assurance that applications work in a controlled manner.

The following basic control issues should be evident in all systems development and acquisition work; • User requirements should be documented and their achievement should be

measured. • Systems design should follow a formal process to ensure that user

requirements and controls are designed into the system. • Systems development should be conducted in a structured manner to

ensure that requirements and design features are incorporated into the finished product.

7) Application –based Controls

Application controls should be the priority of every internal auditor/inspector. All internal auditors/inspectors should be able to evaluate a business process and understand and assess the controls provided by automated processes. The objective of internal controls over application systems is to ensure that; • All input data is accurate, complete, authorized, and correct. • All data is processed as intended • All data stored is accurate and complete • All output is accurate and complete


• A record is maintained to track the process of data from input to storage,

and to the eventual output.

Some of the controls expected to be found in any application include;

• Input Controls - These check the integrity of the data entered into the IFMS application. Input is checked to ensure that it remains within the specified parameters.

• Processing Controls - These provide automated means to ensure processing is complete, accurate and authorized.

• Integrity Controls - These monitor data in process and/ or in storage to ensure that data remains consistent and correct.

• Management Trail (Processing History Controls) - These enable the tracking of transactions from the source to the ultimate result and to trace backward from results to identify the transactions and events they record. These controls should be adequate to monitor the effectiveness of overall controls and identify errors as close as possible to their sources.

8) Baseline IT Controls

These are the basic set of controls that need to be in place in order to provide a fundamental level of IT security. Baseline controls are most widely applicable to all IT infrastructures.

Some of the questions to be considered when selecting a suitable set of baseline controls include; • Do IT policies exist? • Have responsibilities for IT and IT controls been defined, assigned, and

accepted? • Are IT infrastructure equipment and tools logically and physically secured? • Are access and authentication control mechanisms used? • Is antivirus software implemented and maintained? • Is firewall technology implemented in accordance with policy? • Are change and configuration management and quality assurance

processes in place? • Are structured monitoring and service measurement processes in place? • Are specialist IT audit skills available (either internally or outsourced)?

10.1.2.2 Control Weaknesses In IT Systems

• Lack of formal IT planning mechanisms with the result that IT does not serve the ministry’s pressing needs or does not do so in a timely and secure manner.

• Lack of formal security policies resulting in a piecemeal or ‘after-an-incident’ approach to security

• Inadequate program change control leaving software vulnerable to unauthorized changes

• Little or no awareness of key security issues and inadequate staff to address the issues

• Failure to take full advantage of all security software features like selective monitoring capabilities, enforcement of stringent password rules, and review of key security reports.


• Inadequate user involvement in testing and sign-off for new applications resulting in systems that fail to meet user functional requirements or confidentiality integrity.

• Virus definitions that are not kept up to date • Failure to formally assign security administration responsibilities to staff that are

technically competent, independent, and report to senior management. 10.1.2.3 Monitoring IT Controls

Management is responsible for monitoring and assessing controls. The internal auditor/inspector’s monitoring and assessment are performed to independently attest to management’s assertions regarding the adequacy of controls. Management’s control monitoring and assessment activities should be planned and conducted within several categories like; ongoing monitoring and special reviews.

10.2 Internal Auditing Role in relation to IT

This involves the following; • Advising the audit committee and senior management on IT internal control

issues • Ensuring IT is included in the annual audit plan • Ensuring IT risks are considered when assigning resources and priorities to audit

activities. • Defining IT resources needed by the internal audit department, including

specialized training of audit staff. • Ensuring that audit planning considers IT issues for each audit. • Liaising with audit auditees to determine what they want or need to know • Performing IT risk assessments • Determining what constitutes reliable and verifiable evidence. • Performing IT enterprise-level control audits. • Performing IT general control audits. • Performing IT application controls audits. • Performing specialist technical IT control audits. • Making effective and efficient use of IT to assist the audit process. • During systems development or analysis activities, operating as experts who

understand how controls can be implanted and circumvented. • Helping to monitor and verify the proper implementation of activities that minimize

all known and documented IT risks.

10.3 Common IT Process Controls

This Appendix includes illustrative IT Process controls that are commonly used. These lists are intended for use as a guide for discussions between the engagement team and auditee personnel. They are not intended to be checklists for identifying controls over the IT processes, nor are they intended to be considered exhaustive lists of potential controls over the IT processes. The absence of one or more of these controls does not necessarily mean that the auditee’s controls are ineffective. The evaluation of the effectiveness of controls over


an IT process is considered within the context of all of the controls in place over that process.

10.3.1 Acquisition, Implementation, and Maintenance of IT Solutions

Below is a listing of common controls over the IT process of Acquisition, Implementation, and Maintenance of IT Solutions. Ø The auditee has formal policies and procedures in place that define its approach

to systems acquisition and change management (e.g., a formal systems development methodology).

Ø User department and IT department management approval is required before systems acquisition and/or change projects are undertaken.

Ø Project documentation that includes systems requirements definitions, risk analyses, and cost-benefit analyses is maintained.

Ø There is a mechanism in place for the periodic review of the service organization’s operational and control effectiveness.

Ø The auditee’s systems acquisition and change approach addresses security risks. Ø The auditee’s systems acquisition and change approach addresses data

conversion. Ø Environments (either logical or physical) separate from production systems exist

for development (or modification) and testing of IT solutions. Ø Management must review and approve IT solutions prior to their implementation. Ø End users are actively involved in the test process. Ø Development personnel are prohibited from migrating applications and data from

the test environment to production. Ø Post-implementation review procedures are performed for any system

modifications made during an emergency. 10.3.2 Delivery and Support of IT Solutions

Below is a listing of common controls over the IT process of delivery and support of IT solutions. Ø The auditee has formal policies and procedures in place that define its approach to

system security (including confidentiality of data and information). Ø A mechanism is in place for communicating security policy to employees (e.g.,

requiring users to sign an acknowledgement that they have read and understood the auditee’s security policies).


Ø A security organization exists that is independent of both the user departments

and other IT department functions. Ø IT department personnel do not have operational or accounting responsibilities. Ø Appropriate user department and IT department management controls access to

the following: - Local and wide area networks. - Remote connection to networks and/or applications. - Internet/intranet sites. - Applications and application modules.

Ø The following user account security parameters are in place: - Users are assigned unique accounts. - Adequate passwords are required (e.g., minimum and maximum password

length, non-alphabetic characters, upper and lower case alphabetic characters). - Users created their own passwords (e.g., passwords are not assigned). - Periodic password changes are required. - User accounts are disabled after a limited number of unsuccessful logon

attempts. - Users are limited to one session per account (e.g., concurrent sessions or

logons are not allowed). - Measures are in place to prevent the repeated use of a password. - Administrator rights are assigned to a limited number of individuals who require

those rights to perform their job duties. Ø Communications with public networks are controlled by a firewall. The firewall is

implemented to: - Hide the structure of the auditee’s network. - Provide an audit trail of communications with public parties. - Generate alarms when suspicious activity is suspected. - Defend itself and/or the auditee’s network against attack.

Ø Procedures for protection against malicious programs are in place through the use of anti-virus software and other measures (which may include policies limiting the installation of unapproved programs, procedures for reporting suspected occurrences of viruses, etc.).

Ø Physical access to technology infrastructure is restricted. Ø Access to internal networks and/or applications by suppliers, customers, and/or

other business partners is approved by appropriate management and limited to those networks and/or applications required for the conduct of business.

Ø Representatives of suppliers, customers, and/or other business partners are required to adhere to the auditee’s policies, procedures, and security standards when accessing the auditee’s systems.


1 These controls may be identified while we gain an understanding of the other IT processes.

Below is a listing of common controls over the IT process of Monitoring IT Solutions. 1

Ø Security settings and parameters are periodically reviewed for compliance

with organizational standards.

Ø Activities of systems administrators and other privileged users are logged and frequently reviewed.

Ø Processing errors and access violations are logged. These logs are routinely reviewed and follow-up is performed for any unusual or unexpected items appearing in the logs.

Ø The auditee has formal policies and procedures in place concerning the update and/or removal of systems access rights to employees who change job duties or leave the company.

Ø User department and IT department management periodically review each significant system and application for unauthorized user accounts.

Ø Control effectiveness of service organizations is periodically reviewed. (For example, the auditee may conduct an audit or request of the service organization.)

Ø Policies and procedures are revised (in a timely manner) to reflect organizational and/or opera tional changes in the business.

Ø Management acts on recommendations provided by independent per formance assessments (e.g., Internal Audit reports).


10.4 Risk Considerations in Determining the Adequacy of IT Controls The chosen IT controls must add value to the organization by reducing risk efficiently and increasing effectiveness.

In considering the adequacy of IT controls with MOF’s internal control framework, the internal auditor/inspector should consider the processes established by management to determine:

• The value and criticality of information. • Ministry of Finance’s risk appetite and tolerance for each function and process. • IT risks faced by MOF and the quality of service provided by its users. • The complexity of the IT structure. • The appropriate IT controls and the benefits they provide. • Harmful IT incidents in the past 24 months.

10.5 Control Characteristics to Consider

Some of the issues to be addressed during the IT control evaluation process include; • Is the control effective? • Does it achieve the desired result? • Is the mix of preventive, detective and corrective controls effective? • Do the controls provide evidence when control parameters are exceeded or when

controls fail? How is management alerted to failures, and which steps are expected to be taken?

• Is evidence retained (audit trail)?

10.6 The IT Audit Procedures

The Auditor/inspector must identify the principal audit risks so as to develop an appropriate audit strategy in the overall audit plan. The IT auditor/inspector must therefore gain a thorough understanding of the IT environment prior to planning the audit. The following guidelines provide a step-by-step procedures which the Internal Auditor/inspector may follow when undertaking an audit of information systems.

The Auditor/inspector shall:

(i) Determine the audit objective/s (ii) Conduct a preliminary survey

• Ascertain the organisations core processes and operations, determine

whether they are automated, and assess the extent of automation • Establish whether the organisation has policies, procedures and guidelines

in respect to both automated, manual processes and IT applications, and whether they have been communicated to ALL employees. [Lack of policies


and procedures indicates a weak control environment and high control risk] – this helps the Auditor/inspector to plan and select the appropriate CAATs (computer assisted audit techniques), BEASTs (beneficial electronic analysis and support tools) and audit tools to use i.e. Audit Software (used for substantive procedures) or Test Data (used for testing controls).

• If the policies and procedures exist, the Auditor/inspector must ensure that

they are up-to-date. The Auditor/inspector must thereafter benchmark the policies and procedures against best practices. Report any inconsistency and advise accordingly

• Understand the organisations hardware and software platforms. Identify

whether the computing environment is Linux or LAN environment, Windows NT, OS/400/390, etc… this helps to determine the appropriate CAATs and BEASTs to use.

(iii) Develop an audit program and budget (iv) Conduct field work and undertake audit tests (v) Determine findings and conclusions (vi) Communicate results to appropriate parties (vii) Follow up and review the extent of implementation of recommendations.

10.7 Planning an IT Audit In planning an IT audit, the auditor/inspector shall obtain an understanding of the significance and complexity of the IT activities and the availability of data for use in the audit. The auditor/inspector may consider the following issues at this stage of the audit:

(a) Undertake all those procedures that may enable obtaining an understanding of

the entity and its environment, including:

- Holding meetings with management and IT personnel - Making inquiries of management and others within the enti ty - Observing and inspecting the entity’s processes and operations so as to

obtain the required understanding of the entity’s control environment, IT system and the related business process relevant to financial reporting.

(b) Identify the standards and best practices against which the organisation’s IT systems can be benchmarked. These are quiet a number and they include: accounting, auditing and IT standards – for example, International Standards on Auditing (ISAs).– a code of practice for information security management, the Organisation’s own IT policy, ISO 17799 – the international standards on security, the Basel Accord on IT operational risk management guidelines, CoBIT


4th Edition – Control Objectives for IT Strategic Management and any other known best practice in IT management and control.

(c) The auditor/inspector must consider the significance and complexity of computer processing in each accounting application. Significance relates to materiality of the financial statement assertions affected by computer processing. This may be considered complex, when for example;

• The volume of transactions is such that users would find it difficult to identify and correct errors in processing

• The computer automatically generates material transactions or entries directly to another application

• The computer performs complicated computations of financial information and or automatically generates material transactions or entries that can not be (or are not) validated independen tly

• Transactions are exchanged electronically with other organisations (as the case with EDI systems) without manual review for propriety or reasonableness

(d) The organisational structure of the IT activities and the extent of concentration or distribution of computer processing throughout the organisation, particularly, may affect segregation of duties.

(e) When conducting an IT systems review, the internal auditor/inspector shall obtain an understanding of the IT environment and whether it may influence the assessment of inherent and control risks. The internal auditor/inspector must be aware of the internal control characteristics and the nature of the risks in an IT environment. These typically include the following:

(i) Uniform processing of transactions and consistency of performance (In

case of a system error, all transactions processed would be incorrect, unlike manual processing).

(ii) Lack of segregation of duties (where a staff performs incompatible functions like receiving cash, authorising transactions and updating the system. This risk of fraud and error is increased in absence of proper segregation of duties)

(iii) Potential for errors and irregularities (potential for the IT staff (or other staff) to gain unauthorised access to data or to alter data without visible evidence)

(iv) Decreased human involvement in handling transactions processed by a CIS environment reduce the potential for observing errors and irregularities (IT environment decrease the need for human involvement)

(v) Concentration of knowledge, programs and data (The IFMS, for example,, all the financial information is kept in one server, this threatens the Ministry’s operations, if say, it got spoilt)

(vi) Automatically generated transactions (The IFMS system automatically generates reports and accounts)


(vii) Lack of source documentation and audit trail (computers do not show

handwriting, so as to indicate who authorised what and when. Other controls (like access rights show this, however, passwords can be cracked or copied – a policy is needed here too)

(viii) Ease of access to data and programs (it could be easier to tap into a network, or access the server from within in case of lack of security controls. Virus and other spy ware(s) from the internet can easily find their way in)

(ix) Multiple files update (incorrect data input may incorrectly update all other accounts in the system)

(x) Vulnerability of storage media (Computer diskettes, memory chips and floppy disks may be vulnerable to risks of theft and loss in absence of a policy and proper access controls).

10.8 Risk Scoring System

An effective scoring system ensures that the risk-based IT audit program is successful.

The following are some of the major risk factors that should be considered;

• The adequacy of internal controls • The nature of transactions • The age of the application or system; • The nature of the operating environment (for example, changes in volume) • The physical and logical security of information, equipment, and premises; Auditor/inspectors need to develop written guidelines on the use of risk assessment tools and risk factors and review these guidelines with the audit committee. The guidelines should be used to asses major risk areas and to define the range of scores or assessments (e.g. groupings like low, medium, and high risk)

10.9 Application Audit Programme

This is a sample of the Application Audit programme that can be used by an IT auditor/inspector

Procedure Working

Paper Reference

1. Gain an understanding of the use of the application in the business area, including the key processes supported.

2. Identify the population of application users, including third parties, administrators and members of the IT department by obtaining a system-generated report of users and discussing the list with the administrator.


Procedure Working Paper

Reference 3. Gain an understanding of the user administration process. The

process should include • Authorisation for users’ access from an appropriate person;

• Periodic reviews of user access;

• Identification of employees leaving the organization and revocation of their access.

Administrators should not have operational responsibilities or be involved in processing transactions in the application, and the user administration process should be clearly documented.

4. Select a sample of users and confirm their access to the application has been appropriately authorised. For each member of the sample, confirm that the access assigned to him or her matches that authorised. Appropriateness of user access is tested under procedure 8.

5. Verify whether periodic reviews of user access are performed and whether appropriate follow-up actions have been executed. These reviews should be evidenced. Using system reports, identify users whose accounts have been inactive for more than 30 days. For any such users confirm that they are valid employees with authorised access.

6. Select a sample of leavers (including transfers) from the past 12 months and confirm that their access to the application has been revoked, deleted or amended (for transfers).

7. Gain an understanding of the method of adequately segregating duties2 within the application, such that users are not capable of processing an entire transaction without independent authorisation. An individual user should not be able to initiate record, process and report a transaction independently. Assess whether there is a process in place for identifying incompatible functions and for ensuring access rights do not compromise the effective segregation of duties.

2 As well as preventing users from executing a transaction independently from initiation to reporting, there are also elements within a transaction or process that should be segregated. For example, it is recommended that users with the ability to create or amend vendor details not be involved in processing purchase orders, invoices or receiving goods to reduce the risk of fraud.



Reference 8. Gain an understanding of how users’ access rights are assigned

(e.g. through the use of profiles, membership of groups). For a sample of users, profiles or groups (as applicable) evaluate whether the access assigned is appropriate for their role in the business. Identify users with access to sensitive or privileged transactions (including the ability to amend, reverse, cancel or delete transactions) or powerful access rights (including administrator rights). Confirm that users with such rights are appropriate. If applicable, identify users with access to transactions identified as being key to elements of related business audit procedures and confirm that users with such rights are appropriate. If applicable, gain an understanding of authorisation procedures and authority limits for key activities within related business processes, the corresponding transactions within the application used to initiate or control such activities and the users with access to them. Assess whether procedures and authority limits are appropriate and that only authorised users have access to amend them.

9. Gain an understanding of how users IDs are assigned to users. Users should be assigned unique user IDs. Identify the existence of any shared or standard IDs (e.g. guest, test) and assess the controls surrounding their usage. Investigate questionable IDs.

10. Gain an understanding of the password structure and usage within the application. Characteristics to identify include: • Minimum/maximum password length (6-10 characters);

• Password masking upon entry (i.e. passwords are not visible when entered);

• Password expiry (frequency of enforced change, every 30 to 90 days);

• Requirement for particular characters (e.g. numeric in addition to alpha characters);

• Password history (to prevent reuse of old passwords);

• Account lockout after a given number of failed access attempts (three to five attempts); and

• Disabling of user IDs after a given period of inactivity (30 days).

Confirm whether any globally established password settings could be overridden at the user level.



Reference 11. Identify whether any audit logs are created relating to user

activities, including: • Unauthorised access attempts;

• Access to privileged functions (eg creation/deletion of users); and

• Alterations to security parameters.

If available, assess whether they are reviewed on a timely basis and appropriate follow-up actions taken. Review security logs to identify any apparent issues (e.g. repeated failed access attempts by a single user) and ensure they have been appropriately resolved.

12. Confirm that the hardware (e.g. server(s)) on which the application operates is centrally hosted by the IT department. If not, gain an understanding of the physical security controls around servers, terminals and workstations related to the application. Hardware should be physically secured from accidental or deliberate abuse. The environment in which the hardware operates should have appropriate environmental controls (e.g. fire detection and suppression, uninterruptible power supply, air conditioning).

13. Confirm that application data is subject to centrally managed backup procedures. If not, gain an understanding of the procedures implemented for the backing up and restoration of application data. Data should be regularly backed up (typically daily). Controls should be in place to ensure backups have been successful, are regularly tested and are stored securely offsite (i.e. separately from the application hardware).

14. Confirm that the changes to the application are managed under centrally established processes. Changes could include vendor patches, maintenance and internally initiated developments. If not, gain an understanding of procedures implemented for the changes: • authorisation (e.g. that the change passes cost/benefit

analysis);

• testing (e.g. that the change meets business requirements); and

• approval (e.g. that the change should be implemented).



Reference 15. Gain an understanding of the interfaces in place with other

applications. Consider the need to identify and evaluate controls designed to ensure data passed between related applications is: • complete (i.e. that all data sent is received); and

• accurate (i.e. that the data is not subject to unauthorised change during the interface process).

These controls might be programmed (e.g. header and footer records in interface files) or involve manual intervention (e.g. reconciliation of data from source application to destination).

10.10 Other Issues To consider In the Audit Programme

§ Logical access controls relating to supporting operating systems, networks or databases

§ Physical security controls (including environmental controls and data centre procedures);

§ Physical access to computer facilities and data should be appropriately restricted.

The auditor/inspector should consider the following points of focus: • How is physical access to the site/building containing the computer facilities

restricted? • How is physical access to the room(s) containing the computers restricted? • How well protected is removable media (such as off-line data storage)? • How are confidential documents labelled and protected? • To what extent has the organisation adopted a clear desk policy? • How well secured is systems documentation? • How secure is the disposal of discarded computer equipment and data media?

§ Controls over data input, output and processing (including transaction audit trails);

§ Continuity and availability procedures (including disaster recovery plans and documentation);

The auditor/inspector needs to ascertain that there is adequate back-up of information and that the procedure to deal with operational failures is effective. For back-ups, the auditor/inspector should focus on the following; - Are backup procedures appropriate for data and programs? - Are backups accurately logged and stored in a secure location? - What ensures that backup and recovery procedures will work when required? - Is data retained sufficiently to meet regulatory requirements?

§ Recovery from operational failure


There should be appropriate procedures to ensure that operational failures (e.g. disk drive problems, program amends, other emergencies) are identified, resolved in a timely manner, and, where appropriate, approved retrospectively by appropriate IT staff and users.

The following are some of the points of focus for the auditor/inspector auditing this area: • To what extent is computer equipment appropriately sited or protected to prevent

the risk of accidental damage (e.g. from fire, smoke, water, dust, vibration, chemicals, electromagnetic radiation)?

• To what extent is equipment being appropriately maintained? • What controls are in place to prevent operational failures arising from hardware

failure? • How is the power supply to the computer facilities secured? • What procedures are in place to ensure performance meets business needs? • How are faults logged? • What procedures are in place to resolve operational failures?

o Anti-virus procedures; o Data privacy considerations; o Software licenses; o Operational controls (including batch processing); and o Change control (including application selection, implementation and

maintenance).

10.11 Audit Methodology and Best Practices: Summary

The following methodology may be used as a reference guide to help successfully undertake an audit in an IT environment. It must not be used in lieu of an expert opinion and advice.

Action Explanation

Example

1.

Define the audit subject

Identify the area to be audited. For example, each organisational department or process may be identified as an audit area, which may further be classified into sub-audit areas.

Audit subject: Finance Department in the Finance Ministry. (Note: A number of processes may exist in the finance department, e.g. payroll processing, procurement and payments processing, MIS and asset management. It is unlikely that these processes would be manually operated) – as long as any computer is involved in the processing, an IT environment exists.) For the finance department, the audit subject would be the Accounting and Stock Control System.

2.

Determine the audit

Identify the intention or purpose of the

Examples of audit objectives could include:


Action

Explanation

Example

objective/s

audit. This helps the auditor/inspector to plan the audit adequately.

• To ensure that assets, liabilities and transactions are free from material misstatements, by ensuring that each asset, liability and transaction meet the Completeness, Occurrence, Valuation, Existence, Reasonable Measurement Presentation (COVER MP) assertions.

• To determine whether business systems are adequately backed and that backup copies are held in a secure and remote media store.

• To determine whether the company’s information meets the quality, fiduciary and security requirements. E.g., X Ltd’s accounting system, one may consider the use of CAATs (ACL, SQL, IDEA etc…) to do this.

• To determine that policies and procedures exist in respect to -data centre and network operations -software and hardware acquisition, change and maintenance -information security and internet use

3.

Audit scope or extent

This involves identification of specific functions, processes or systems of the organisation to be included in the review.

For example, in the above systems backups’ example, the audit scope statement might limit the review to a single application system (e.g. the accounting system, payroll, EFT system etc…) or to a limited period of time. The scope of the audit is usually limited to the 12 months period ended.

4.

Pre-audit planning

The auditor/inspector shall obtain an understanding of how the entity responds or has responded to the risks arising from IT. The auditor/inspector must: -Identify processes/ assets/ facilities to be audited

-Identify technical skills and resources needed.

-Identify the appropriate CAAT tool/s to use, based on the organisation’s IT platform, and

-Identify the sources

At this stage, the auditor/inspector needs to obtain the entity’s • Finance and accounting policy • IT security policy • Risk management policy • Operational policies and procedures • Functional flow-charts • Standards. The auditor/inspector has to benchmark the entity’s policies, standards, practices and procedures against best standard practices identified. The auditor/inspector must then consider whether risks are of magnitude to result in material misstatement of the financial statements based on the degree the entity’s standards divert from best practices.


Action

Explanation

Example

of information for test or review.

5.

Design audit procedures and steps of information gathering

Depending on the results of the risk assessment, the auditor/inspector has to identify and select the audit approach to verify and test the controls or to undertake detailed tests of account balances and transactions relevant to the entity’s financial reporting objective/s (which are material).

• Review the policy documents • Use audit tools, e.g. BEASTS, (CAATs which

review data and those which review controls) to reduce the audit risk to acceptable levels (you may consider the use of specialist) – examples of CAATs include IDEA, ACL, SQL. It is important to obtain a professional advice prior to using CAATs.

• Analyse data and identify areas of risk. Evaluate whether identified weaknesses/risks could result into material weaknesses and fail the entity’s financial reporting objective/s.

Assess the entity’s risk assessment and management process. Review the entity’s risk management policy. Determine how management identifies business risks relevant to financial reporting, estimates the significance of the risks and their likelihood of occurrence and how the risks are managed

6.

Evaluate and review results

The auditor/inspector must review all the working papers and document findings. This is important for audit work quality control in line with ISA 220.

The procedures for evaluating the test or review of results might be organisation specific. Each audit firm or internal audit dep’t must have documented procedures for reviewing and evaluating audit results. The audit senior might re-perform the audit tests prior to signing off.

7.

Prepare draft report and communicate with management

A draft report detailing potential areas of risk has to be prepared, which must then be discussed with the auditee management before a final audit report is written.

Whether the auditor/inspector’s opinion is qualified or unqualified, reasons for arriving at the opinion must be documented and explained to the auditee. Detailed analysis of weaknesses within the entity’s system is necessary. The auditor/inspector must also provide recommendations which may help mitigate the identified risks.

8.

Prepare final audit report

The final report may also contain a summery report of observations, risks recommendations, and auditee responses.

The final report may be submitted to senior management (because they make decisions and can implement the auditor/inspector’s recommendations and make a follow up).


Action

Explanation

Example

9.

Review and follow up

It is important for the auditor/inspector to make a follow up so as to ascertain the extent to which the auditor/inspector’s recommendations have been implemented.

Follow up would help ease auditing exercise of the subsequent audit. This is good to both the auditor/inspector and the entity, as it would help reduce the amount of audit work and cost.

The above methodology is not conclusive. The auditor/inspector must continuously keep abreast with latest changes in technology and be able to undertake real value adding audits.

10.12 Audit of the Integrated Financial Management System (IFMS)

The IFMS is organized according to modules. Each module has risks attached to it and therefore the internal auditor/inspector has to apply different procedures depending on the category being audited.

10.12.1 Journal Voucher Processing

This is the entering of journals manually or from sub ledger systems and other IFMS modules as input data into the General Ledger.

10.12.1.1 Control Objectives

• Only valid and authorized JVs may be entered into the GL 10.12.1.2 Control Questionnaire

Key control questions Yes/No Remarks WP Ref

Are the journals posted timely from the sub-ledgers?

Are procedures in place to ensure that only authorised manual journals are posted to GL?

Are some journal entries not in accordance with the Generally Accepted accounting principles? Do they result in material misstatement?

10.12.1.3 Audit Procedure

• Review documentation relating to the manual procedures concerning the preparation, submission and approval of manual JVs

• Export a list of journals whose source is manual (use the GL Journal enquiry facility).

• Get a sample of the manual JVs and ascertain whether their purpose is clearly recorded and whether the authorized officer approved them


• Interview the HOA to ascertain whether he checks the accuracy of the JV entries

• Review the sample of journals online • Download the posted General Journal report from the system • Review the posted journal batches and the journals associated with each

posted journal batch. (This will help you trace transactions back to the original source)

• Review journals posted from the sub ledgers using the drill down facility of GL • Export the Trial Balance detail report. Analyze and identify accounts with

significant balances. Use the account enquiry feature to investigate the corresponding journals.

10.12.2.0 General Ledger Set Up

Set up documentation helps to maintain the continuity of the set up parameters and to ensure that no unauthorized changes to the GL set up were made. The biggest risk here is unauthorised changes being made to the GL set up.

10.12.2.1 Control Questionnaire

Key control questions Yes/No Remarks WP Ref

Is the suspense account posting allowed in IFMS GL?

Is the journal approval feature enabled? Are procedures in place to ensure that all changes to the GL set up are authorized and documented?

Is there restriction and monitoring of changes to GL set up parameters, flex field security rules, and cross validation rules?


• Review documentation regarding the GL set up, segment qualifiers and cross validation rules.

• Ascertain that no unauthorised changes to the set up parameters have been made.

• Review the set of books documentation and also the options.

10.12.3.0 Chart of Accounts Maintenance

The process of maintaining the Chart of Accounts (CoA) includes functions like system maintenance of application control files, configuration of standard tables, user access and control issues, as well as defining currency, accounting periods and user parameters. Once the structure has been defined, it can not be modified. The IFMS captures, stores, reports and controls all information and transactions at the Code Combination level. It is only the Commissioner, Treasury Office of Accounts with the Chart of Account value access.


10.12.3.1 Control Objective

• Before any alteration/ addition is made to the COA, a valid request from an MALG and approved by the Accountant General should be got. A paper trail of the request should be in existence.


• Review the documentation of procedures • Review the new account code request forms • Review documentation relating to the determination of the code structure by

the DOB. • Review evidence of approval of then new code by the AG

10.12.4.0 Purchasing Module Audit Procedures

The purchasing function has a number of sub-processes as shown below; • Set up • Creation of Supplier Master and Item Master • Requisition • Request for quotation • Issuance of Purchased Order • Receiving • Invoicing

The purchasing module integrates with the GL module, Payables module and the Dossier.

10.12.4.1 Purchasing Control Objectives

• Laid down procedures are observed • All purchases are authorised • Procurements are as per work plan and in line with the Procurement Act • Procurement of only valid goods and services • Payments are made to only valid people for valid reasons • No overpayment occurs • No undue delays in making payments • Making of purchases at approved rates • Only approved vendors are used.

10.12.4.2 Monitoring Controls

• Fraud and wastage is minimised • Reports are reviewed by management so as to give assurance that the made

procurements accomplish the stated objectives • Irregularities are detected, investigated and corrective action taken by

management.


10.12.5.0 Supplier Creation and maintenance

Each ministry’s Head of Procurement has the rights to create and enter supplier information. This information is used when making Requisitions, Purchase orders, Invoices and Expense Payments. No purchase can be made from a supplier not in the system.

Supplier information recorded in the master file includes; • Supplier name • Tax payer ID • Tax registration Number


• Integrity of the supplier master should be protected • A hard copy audit trail of the supplier approval process should be present • Creation and maintenance of only valid suppliers/employees on the mas ter file

10.12.5.2 Controls over supplier master files data 10.12.5.3 General IT Controls

• IT security controls - password • Data file integrity controls • Access controls

10.12.5.4 Application Controls

These include; a) Automated Controls

The following are automatically enforced by the IFMS; • Unique VAT ID • Unique URA ID • Unique supplier name • Duplicate name check

b) Other important controls

• Established and documented procedures for reviewing the supplier master

file and payment files and for analysis vendor performance. • A hard copy audit trail of the approval process should be maintained. It

should justify why a supplier was entered for a particular good or service. • Procedure should be established to ensure the completeness, accuracy,

and validity of data entry to the master file. E.g. one for one check and edits

• Manual procedures should be in place and adhered to. Some important procedures include: inviting applications from suppliers, recording the received applications, approval process, and the selection criteria used.



Key control questions Yes/ No

Remarks WP ref

Is the hardcopy audit trail of the supplier approval process maintained?

Are there procedures to ensure that only valid MALG employees are entered as suppliers for payment claims?

Have the rules and procedures concerning payment of claims and types of claims by employees been documented?

Are there controls for ensuring completeness, accuracy and validity of data entry to the master file e.g. one for one checks and edits?

Have the basis for inactivation of suppliers been documented?

Do the manual procedures precede entering of supplier data e.g. approval of suppliers?

10.12.5.5 Audit Procedures

Done by

Date WP Ref

Perform a walk –through of the supplier approval and data entry process

Interview the CAO, Head of Accounts and the HOP about the supplier creation and maintenance procedures

Review documentation and procedural manuals Make a print out of the supplier report and compare a sample with the hard copies of approval documents to ascertain whether the proper approval procedures had been followed

Check for evidence of management supervision and monitoring

10.12.6.0 The Requisition Process

The purchasing cycle begins with a requisition by the authorized officers. Some of the details filled in the requisition include; requisition type, description, status, and estimate of the amount to be spent.



• Requisitions should be made against appropriate charge accounts so as to check the availability of funds

• Only goods and services with a specific business purpose should be requisitioned.

• Specifications, rate, quantity and amount of the requested for expense items must be valid and authorized.


Key Control questions Yes/No Remarks WP Ref

Are requisitions only being entered by authorized persons

Is a paper audit trail of requisitions maintained Are there developed guidelines for procurement action to ensure that requisitioning officers initiate only valid procurement actions?

Do the different departments and cost centres review and analyse the made requisitions and purchases?


Done by

Date WP Ref

Interview CAO, HOA, HODs and HOP Check documentation and manuals Review a sample of amount based requisitions Check for Pos that have no requisitions Check for PO amounts that differ from the requisition amount and quantity

10.12.7.0 Purchase Orders

These are created automatically from the valid and approved requisitions. 10.12.7.1 Control Objectives

• Purchase should be charged to correct accounts • Only goods and services that meet the business objectives will have purchase

orders issued • There should be complete and accurate information regarding description of

goods and services, rates etc • Only approved purchase orders should be issued to approved suppliers



• Get a print out of the purchase orders and review for appropriateness of charge account

• Check whether the documented procedures require a hard copy trail to be kept for each transaction in the form of a voucher.

• The following reports should be printed and reviewed; Ø Cancelled Requisitions Report Ø Cancelled Purchase Orders Report Ø Encumbrance Detail Report

10.12.8.0 Receiving of Goods and Services

After the goods have been received and the store keeper prepares a Goods Received Note (GRN), the Head of Purchasing will enter it into the IFMS.


• There should be assurance that the receipts are only entered into the IFMS system after ensuring that the description and quantity of the items agree with the details on the purchase order.


Key Control questions Yes/No Remarks WP Ref

Is a system in place to inspect the received goods for quality and quantity before the receipts are entered into the system?

Does the store keeper have the technical competence to verify the quality of all received items?

Is a system in place to record suppliers’ shipping advice details upon receipt of goods?

Does the system provide for the correct treatment of partial receipt of goods and services?

Does the system allow for receipt of goods? Is a mechanism in place to certify the satisfactory delivery and completion of technical services ordered through amount based purchase orders?

Does the store keeper follow documented procedures?

Is there an investigation and reconciliation into the receipts that do not match to purchase orders?



• Interview the storekeeper, his supervisors, and users. • Review documentation regarding the storekeeper’s functions. • Select a sample of GRNs and verify against stores accounts. • Review the accounting system in place. • Review a sample of payments for services.

10.13 Review of IFMS General Controls

General IT controls mainly focus on the IT infrastructure. Issues like IT related policies, procedures and working practices are dealt with. These controls are not specific to any individual transaction streams or accounting packages or financial applications.

Some categories of general controls include; • Segregation of duties • Logical access controls • Physical controls (access and environment) • Systems development and program change • Business continuity planning • Organization and management (IT policies and standards)

10.13.1.0 Data centre control objectives and audit procedures

The data centre is a very critical facility for the IFMS system. Key resources like: databases, people, application software, infrastructure, hardware and operating systems are all housed here.

10.13.1.1 Objectives of the data center controls review

To get assurance that; • Key resources are protected and safeguarded • Usage of key resources is monitored • Usage of key resources is maintained at an optimal level.

10.13.1.2 Examples of Control Objectives

• Senior management should define a framework that promotes the definition of formal service level agreements and defines the minimal contents: availability, reliability, performance, level of support provided by users, continuity planning.

• Appropriate physical security and access control measures should be established for information technology, including off-site use of devices to conform to the general security policy.

• Information services function management should ensure that a low profile is kept and the physical identification of the site of its information technology operations is limited.


• Health and safety practices should be in place and maintained in conformance with applicable international, national, regional and local laws and regulations

• Sufficient measures should be in place to protect against environmental factors like fire, dust, excessive heat.

• Management controls should guarantee that sufficient chronological information is being stored in operations logs to enable reconstruction, timely review and examination of the time sequences of processing and other activities surrounding or supporting processing.

• Management should establish the data centre organizational structure and develop job descriptions

• Management should ensure that all information assets have an appointed owner who makes decisions about classifications and access rights

• There should be well documented standard procedures for information technology operations.

• Software vendors should supply technical manuals concerning their products.

10.14 Computer-Assisted Audit Techniques (CAATS)

CAATS should be used to improve audit coverage by reducing the cost of testing and sampling procedures that otherwise would be performed manually. CAATS include many types of tools and techniques, such as generalized audit software, utility software, test data, application software tracing and mapping.

Some audit procedures where CAATs may be used include;

• Tests of transactions and balances, such as recalculating interest; • Analytical review procedures ,such as identifying inconsistencies of significant

fluctuations; • Compliance tests of general controls, such as testing the set-up or

configuration of the operating system or access procedures to the program libraries;

• Sampling programs to extract data for audit testing; • Compliance tests for application controls like testing the functioning of a

programmed control; • Recalculating entries performed by MOF’s accounting systems; • Penetration testing.

10.15 Auditor/Inspector Knowledge Considerations

Standard 1210- Proficiency of The IIA’s Standards requires that the internal audit activity collectively should possess or obtain knowledge, skills, and other competences needed to perform its responsibilities. Varying levels of IT knowledge are need throughout the organization to provide a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes. Knowledge of how IT is used, the related risks, and the ability to use IT as a resource in the performance of audit work is essential for auditor/inspector effectiveness at all levels.


The following three categories for IT knowledge for internal auditor/inspectors were identified by the IIA’s International Advanced Technology Committee;

a) Category 1 - All Auditor/inspectors

This is the knowledge of IT needed by all professional auditor/inspectors, from new recruits up through the Chief of Audit. Basic IT knowledge includes;

• Understanding concepts like differences in software used in applications,

operating systems and systems software • Comprehending basic IT security and control components like perimeter

defences, intrusion detection, authentication, and application system controls.

• Understanding how business controls and assurance objectives can be impacted by vulnerabilities in business operations and the related supporting systems, networks, and data components.

b) Category 2 - Audit Supervisors

This is concerned with the supervisory level of auditing. In addition to having basic IT skills, supervisors must understand IT issues and elements sufficiently to address them in audit planning, testing, analysis, reporting, follow-up, and assigning auditor/inspector skills to the elements of audit project.

Each audit supervisor must: • Understand the threats and vulnerabilities associated with automated

business processes. • Understand business controls and risk mitigation that should be provided

by IT. • Plan and supervise audit tasks to address IT-related vulnerabilities and

controls, as well as the effectiveness of IT in providing controls for business application and environments.

• Ensure the audit team has sufficient competence- including IT proficiency- for audits.

• Ensure the effective use of IT tools in audit assessment and testing. • Approve plans and techniques for testing controls and information. • Assess audit test results for evidence of IT vulnerabilities or control

weaknesses. • Analyse symptoms detected and relate them to causes that may have

their sources in business or IT: planning, execution, operations, change management, authentication, or other ri sk areas.

• Provide audit recommendation based on business assurance objectives appropriate to the sources of problems noted rather than just reporting on problems or errors detected.

c) Category 3 - Technical IT Audit Specialists

These are the IT specialists who go into the deeper aspects of critically evaluating the IT controls in place.


Article 11 Fraud and Irregularities

11.0 Introduction

The profile of fraud and corruption in both the public and private sectors continues to be high. Fraud can be defined as any illegal acts characterised by deceit, concealment or violation of trust. These acts are not dependant upon the application of threat of violence or physical force. Frauds are perpetrated by individuals and organisations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage. Internal auditors/inspectors do not have all the expertise to deal with cases of suspected fraud, corruption or other irregularity. When such a case is found or suspected, the Internal Auditor/inspector must contact the Commissioner Internal Auditor/Inspector, who will contact the Head of Internal Audit. The Chief Internal Auditor/Inspector will decide what steps need to be taken and when to contact other institutions, for example, the Prevention of Corruption Bureau.

11.1 Fraud Red Flags 11.1.1 People

§ Management dominated by one person (or a small group) and no effective oversight board or committee.

§ High turnover rate of key accounting and financial personnel. § Significant and prolonged understaffing of departments such as the accounting or

internal audit department. § Frequent changes of legal advisers, auditor/inspectors or other professional

advisers. § Undue pressure on accounting personnel to complete financial statements or

management information in an unreasonably short period. § Remuneration overly based on financial performance. § Inadequate segregation between the risk-takers and the record makers. § Low morale. § An employee whose lifestyle is at variance with their known sources of income. § Changes in lifestyle or habits by key members of staff. § Excessive hours worked by key staff and/or a lack of delegation of apparently

mundane tasks. 11.1.2 Processes

§ No checks to ensure that only appropriate employees are recruited by taking

references, checking for criminal convictions and regulatory body disciplinary actions.

§ No checks to ensure that sales are only made to appropriate customers by, for example, establishing their ability to pay.


§ No checks to ensure that only appropriate suppliers are used by, for example, checking for connections with company employees or officers.

§ Lack of appropriate response to queries from management, suppliers, auditors/inspectors, bankers, or lawyers.

§ Suggestions that internal controls have been overridden by management. § Rumours and tipoffs relating to fraud & irregularities not dealt with. § Indications that internal financial information is unreliable. § Continuing failure to correct major weaknesses in internal control where such

corrections are practicable and cost-effective. § No enforcement of holidays and procedures during absence and work always left

until the employee returns. § Accounts office not keeping up with operations and the books apparently in a

mess, for example key reconciliations not completed. § Loss of records or other information. § Overly complex corporate and/or reporting structure. § Control of the business, especially internal control, given low priority and little

management time. 11.1.3 Surplus/Deficit

§ Unusual transactions that have a significant effect on earnings. § Complex transactions or accounting treatments that require such intricate

explanations that are difficult for most non-specialists to comprehend. § Unusual transactions with related parties. § Payments for services (for example to lawyers, consultants or agents) that appear

excessive in relation to the services actually provided. § Unusually high or unexpected levels of surplus or deficit. § Results that are out of line with the rest of the industry. § Transactions where surplus is not consistent with cash flow. § Secrecy about a particular auditee or project and/or where the auditee will only

deal with one member of staff. § Inadequate documentation about a auditee or transaction, for example, where the

only contact details are a mobile phone number. § Deteriorating quality of earnings, for example increased risk-taking with respect to

credit sales, changes in business practice. § Need for a rising surplus trend to support the market price of the company’s

shares due to a contemplated public offering, a takeover or other reason. § Surplus and cash flow at variance with each other, or with the market.

11.2 Understanding the Business and the Risk of Fraud & Irregularities in

Each Business Area/Process

• Managers should be prepared to ask if they do not understand. There is a strong correlation between managers ’ understanding of their business and the level of fraud & irregularities in that business.

• What are the common fraud & irregularities seen in the industry in each area/process?

• How well do senior management/the board of directors understand each of the business areas/business processes?

• What level of fraud & irregularities risk is tolerated by the business?


• Who within each area could produce a comprehensive list of the critical risk areas?

• Who could check that list for completeness and accuracy? • Are understanding and control of any process solely or principally in the hands of

one individual? • How is this individual monitored and controlled and is this appropriate? • Are any such key individuals demonstrating fraud & irregularities warning signs? • Is the culture of the business conducive to fraud & irregularities, for example, is it

overly secretive/complicated? • How would you perpetrate a fraud & irregularities in each business area/process? • How would you be found out? • What are the key controls on which the business is relying?

11.3 Assessing the Impact of Each Possible Fraud & Irregularities

Based on its Severity and Potential Frequency

§ Repeat the exercise, assuming that a key employee is involved in the fraud & irregularities, to highlight the key controls and individuals on which the business is relying.

§ How big would the fraud & irregularities get before it was noticed? § Could cost-effective controls be introduced to mitigate the risks?

11.3.1 Key controls

§ Procedures to prevent management overriding controls. § Adequate segregation of responsibilities between the risk-takers and the

recorders. § Management involvement and understanding of the key items in all key

reconciliations and journal postings. § Internal controls – up-to-date procedures manuals explaining the controls applied. § Use of pre-numbered, sequential documents wherever possible. § Maintenance and review of audit logs, for example, review of amendments to

standing data. § Recruitment – pre-employment screening, adequate inductions, performance

evaluation, counselling, coaching and training. § Internal audit and internal checks. § Dual signatories on all cheques. § Appropriate authorisation limits. § Backing up all data regularly to ensure an adequate audit trail is maintained. § Surveillance. § Exit interviews – ask all leavers whether they are aware of any fraud &

irregularities or other irregularity. § Adequate job rotation, for example, ensuring that all staff take holidays and that

their role is handled by another person in their absence. § Procedures for notification of tip-offs, exceptions, control failures and their follow-

up, for example, the provision of a fraud & irregularities hotline.


11.3.2 Are controls operating effectively?

§ What evidence exists to prove that the control operates? § How frequently does management check to see whether a control operates? § What information is provided to managemen t on a timely basis? § What action does management take to resolve issues and exceptions? § How well does management demonstrate prompt, appropriate action? § How often does internal audit check to see whether controls are operating? § How aware are staff of the key risks facing the business and the controls relied on

to prevent it? § Who is able to override the controls and how? § How responsive are the controls to changes in the business, its people and its

processes, for example, redundancies etc? § Who is assessing the control over the director/manager undertaking this fraud &

irregularities risk review?

11.4 The Internal Auditor’s/Inspector’s Role

As noted above, responsibility for prevention and detection of fraud rests with management. The internal auditor/inspector, in preparing audit needs assessments and audit plans, should ensure that high-risk areas are identified. High-risk areas include areas of high inherent risk, areas where controls are weak, areas typically exposed to fraud, computer fraud, etc. Internal audit may discover fraud either through their audit checks, or from information received from management or ‘tip-offs’. Information concerning suspected fraud could be received by formal complaints, anonymous letters, telephone calls, through operating hotlines, or referrals from the external auditor/inspector. The auditor/inspector should get as much detail as possible, and also try and obtain the identities of informants, assuring them of confidentiality. Management may come across areas where they suspect fraud, for example employees working while sick, or living beyond their means. The Internal Audit Service should establish a special telephone line for whistleblowers at selected ministries. This will allow key officers in these ministries to report suspected fraud or other irregularities to the Internal Audit Service without having to provide their names or posts.

The auditor/inspector could usefully identify some signs, personal circumstances or organisational conditions that could point to fraud, and therefore require more detailed examination, such as: r overspending against budget r unexplained items in suspense accounts r frequent late banking r altered petty cash vouchers and receipts r goods invoiced that are not normally purchased


r employees who never take annual leave; also staff who constantly work outside normal working hours

r employees’ personal financial problems r employees whose lifestyle is more extravagant than their salary would warrant r unusual concerns about visits by auditor/inspectors r someone who often breaks the rules and regulations - cutting corners may be a

way of concealing fraud r complaints about member of staff from customers or employers r people who rule their subordinates with a ‘rod of iron’, and unnecessary anger,

sarcasm or criticism, so they become too frightened to question anything r lack of effective internal controls r failure of management information systems r undocumented procedures r general laxity of attitude by management and employees towards security. r Once an investigation is completed internal audit may have responsibilities in

relation to: o recommending improvements to systems o attendance at disciplinary proceedings o attendance at Court

11.5 Conduct of the Investigation

11.5.1 Objectives of fraud investigations

r To prove or disprove the original suspicions of fraud r If proven, to support the findings by producing evidence r Presenting the evidence got in an appropriate format

11.5.2 Who to inform about the suspected fraud

§ Chief Executive Officer § Internal auditors/inspectors § External auditors/inspectors (if fraud is significant) § Department head.

11.5.3 Police involvement

• There should be a clear policy on the involvement of the police. • Good working relationships with the local police, appropriate police fraud units

and with other organisations working in this area should be established. • Protocols should be agreed with the police covering interviewing, documentation

and other key issues, a major one being the stages at which contact with the police should be established.

Agreement should be reached on: r terms of reference and scope of the investigation r estimated target dates r staffing resources r provision of suitable facilities - transport, cameras, mobile phones etc as may be

required.


• All investigations must be properly authorised; relevant information properly documented; secrecy and confidentiality must be maintained.

• All original documentation, material to the investigation, should be secured by the auditor/inspector at the earliest possible stage.

At some stage - initially, or during the investigation, suspension of the suspect may need to be considered. This will ensure that evidence is not tampered with, and will also prevent any undue influence by the suspect on the course of the investigation. The suspension is, of course, without prejudice to the outcome of the investigation.

The investigation will involve gathering of evidence, and its evaluation. If there is a high volume of detail and documentary evidence, it is preferable to take the strongest cases for full and detailed appraisal, for example where a successful prosecution is most likely to be secured.

11.6 Interviewing

Interviews can be of two types: r to seek more information r Interviewing suspects. • Potential suspects should normally be interviewed towards the end of the

investigation. • Thorough preparation must always be done for interviews; questions to be asked

should be predetermined and written, but auditors/inspectors must always be alert when to ask supplementary questions.

• Avoid leading questions. • A caution should be issued to a person where there are grounds to suspect that

they may have committed an offence before any questions about the offence are put. The auditor/inspector should not be in a position at the start of any suspect interview where it would be required to issue a caution at the outset; if the suspicion for this was strong enough to be necessary the case should normally be referred to the police. If there is a doubt on whether a caution should be issued, it should be remembered that, without a caution, the case will not be admissible in court.

11.6.1 Issues to consider before the interview

r The information needed; questions should, preferably, be prepared in advance of interview

r Arrange the time and place of the interview - preferably during normal working hours, but away from the interviewee’s normal place of work

r The parties to be present - all interested parties should be represented, and preferably two auditor/inspectors; the interviewee should be given the opportunity to be accompanied.

11.6.2 Pointers at the interview

r One auditor/inspector should ask questions - and another person should take notes

r Ensure that nothing is done that can be construed as duress by the interviewee r Begin by asking the interviewee to outline their understanding of their duties and

responsibilities of the matter under review r Ask supplementary questions where necessary


r If at any time the auditor/inspector forms the opinion that they have reasonable grounds for believing that the interviewee has committed an offence, the caution should be administered

r The auditor/inspector’s notes should be agreed, signed and dated by all present at the interview.

11.6.3 Action to take after the interview

After the interview the following need to be considered: r Suspension r Informing the police r Informing the external auditor/inspector r Insurance r Review of systems

11.7 Interviewing Techniques for Fraud Investigations

As the investigation develops there will be matters arising that can only be substantiated or clarified by interviews conducted by the auditor/inspector. These interviews will broadly fall into two main categories, firstly there may be a need to obtain more information of a factual nature and this can only be obtained by interviewing those people with the relevant knowledge. These people are more likely to be employees of the organisation but could be third parties who are willing to assist voluntarily with the enquiries. The second category will involve interviewing the suspect(s) with a view to ascertaining any knowledge of and involvement in the suspected fraud.

11.8 Fact Finding Interviews Although the basic evidence in fraud investigation is more likely to be documentary it will normally be necessary to establish certain other facts either relating to those documents, other people, the application of rules/regulations, procedures in operation and/or specific events. This can be obtained from the testimony and recollection of others through fact-finding interviews which will generally be of a formal nature and comprise predetermined questions although other supplementary questions may be raised during the course of the interview. The questions should be designed to elicit the relevant facts from the interviewee and answers which enhance the auditor’s/inspector’s knowledge of the circumstances connected with the investigation. Leading questions (which indicate the answer which is anticipated) should not be asked. If predetermined questions are not used a checklist needs to be prepared to ensure that spontaneous questions cover all the necessary areas of the investigation. Depending on the scale and sensitivity of the investigation these interviews will normally be undertaken by two auditors/inspectors, one of whom will take detailed notes of the answers given to the questions asked. It is important to ensure proper procedures are adopted in such interviews and they should generally be in line with the procedures set out later. Where the interview is conducted with a third party outside the organisation certain additional matters need to be taken into consideration. Wherever possible a proper appointment should be made agreeing the arrangements. Where the interview takes place at a person’s private residence the auditor/inspector should ensure that the interviewee is aware of the auditor’s/inspector’s name and will carry an identification


pass which will be shown on arrival. If the interviewee is an aged person it is sensible for the auditor/inspector to be accompanied by a social/welfare worker, who is known to the person. This is also important when the interviewee is female and lives alone and in these circumstances it is preferable that the interview be conducted by a female auditor/inspector where possible.

11.9 Interviews with Suspect(s) • Interviews with potential suspects should be conducted towards the end of the

investigation when the auditor/inspector has assimilated the available evidence and the examination of records and interviews with third parties and others has established, as far as possible, the veracity of the facts of the case.

• If the interview is carried out at an early stage where the auditor/inspector is working largely on personal suspicions then the interview becomes a fact finding interview with the possibility of a further interview being necessary. This could however enable the suspect to gain considerable insight into areas being covered by the investigation and be given an early opportunity to frustrate the investigation as previously mentioned.

11.9.1 Preparation for interviewing suspects

The auditor/inspector should;

§ Understand and be fully conversant with all the details of the case. § Have sufficient knowledge to introduce supplementary questions spontaneously, if

appropriate, during the interview. § Study the evidence thoroughly and draw upon the strongest aspects of the case

and with all the necessary supporting evidence. § Formulate the areas to be covered and the sequence in which those areas should

be dealt with in a logical structure. § Be methodical in approach. § Ensure that documents connected with the suspected fraud and those that will be

subsequently be relied on in proving that fraud has occurred, are shown to the suspect at interview and accepted as valid, accurate and complete documents.

§ Seek confirmation of such documents in total from the suspect in the initial stages of an interview when the suspect is not aware of the detailed suspicions of the auditor/inspector or the direction which the interview will take.

§ Give all such documentary evidence produced at interviews unique references which will clearly identify individual documents and which will be recorded in the question asked, for example “Would you examine this time-sheet dated 10/12/06 which I have referenced ABI. Is this the time-sheet which you completed for the week ended 10/12/06?” A positive answer to such a question, contemporaneously recorded, would be difficult for the suspect to refute at a later date.

§ Predetermine and write down the questions to be asked at the interview.


11.9.2 Purpose of pre-determined questions:

r the questions are asked in the most beneficial sequence and in the most appropriate form

r the auditor/inspector taking notes of the answers given can concentrate on writing down the answers only

r no area of the investigation is ‘missed’ from the interview as a result of the auditor/inspector being ‘side-tracked’ by the interviewee, and

r the overall interview time is reduced as the process is ‘speeded-up’.

• Future disputes as to the conduct of the audit interview can be forestalled to some extent if a final question is included, as a matter of course to the effect, “Are you satisfied with the way in which this interview has been conducted?” An affirmative answer to such a question should preclude any complaints of duress, unfair treatment or denial of natural justice by the auditor/inspectors being made by the interviewee at a later date.

11.9.3 Formulation of questions

• There should be no leading questions. These are questions which contain the

answer the questioner is looking for, e.g. “You do open the post on your own, don’t you?”

• Questions should be kept simple. It is better to use several short questions rather than long involved ones.

• If a question is not understood, repeat it. • Avoid multiple questions as these allow the suspect to choose which individual

aspect of the question to answer and can be confusing, especially when a ‘yes’ or ‘no’ answer is given, as it is impossible to determine whether it is ‘yes’ or ‘no’ to all aspects, or one, or more.

• Ask a question the correct answer to which is already known to the auditor/inspector. This type of question allows the auditor/inspector to determine whether the suspect is telling the truth.

• Where questions are asked about two related documents, for example, a correct one and an identical fictitious one, the fictitious document should be questioned first as the suspect will not be aware that the auditor/inspector possesses the correct one and will have committed an answer before the correct document is produced and therefore be unable to easily retract it.

• Ensure that the questions are constructed to elicit all information otherwise the auditor/inspector will find that only specific responses are made and these may not reflect the whole truth.

• Use either Open questions or closed questions ,depending on the situation.


a) Open Questions

• Allow the suspect to explain matters in detail. • Are useful in circumstances where the person is reluctant to answer. • They allow the auditor/inspector to lose control of the situation if they are widely

used particularly where the suspect is talkative and wanders away from the nub of the question.

• Begin with expressions such as, “Tell me about…..”

b) Closed Questions • Establish specific points of fact. • Enable the auditor/inspector to probe single and specific facts. • They may be used to obtain specific ‘yes/no’ answers or to identify a person, etc.

An example of the first type would be “Are unofficial receipts issued?” and an example of the second type would be “Who authorises payments from petty cash?”

11.9.4 Other arrangements for the interview

• The auditor/inspector should make other arrangements in advance to enable

things to run as smoothly as possible. • Audit interviews should always be conducted in a formal manner and are best

undertaken at a location away from the interviewee’s normal work place.

There are several reasons for this: r the interview can be confidential r it reduces the embarrassment which the interviewee may feel, and r if conducted away from the suspect’s work place it will remove any advantage

which the suspect may gain from being on home ground.

• Ensure that adequate safeguards are adopted, both from the point of view of the interviewee and the interviewer.

• Arrange the interview at a reasonable time of day (having taken into account the estimated time which will be required to carry out the full interview).

• Breaks from interviewing shall be made at recognised meal times. • Short breaks for refreshment shall also be provided at intervals of approximately

two hours, subject to the interviewing officer’s discretion to delay a break if there are reasonable grounds.

• As far as practicable interviews should take place in interview rooms which must be adequately heated, ventilated and lit.

• The interviewee should be given the opportunity to be accompanied if requested so advance warning will be necessary so that the requisite arrangements can be made.

• A person who wants legal advice may not be interviewed or continue to be interviewed until they have received it.


11.9.5 Conduct and structure of the interview

• The interview should be conducted by a senior member of the audit team

accompanied by another auditor/inspector whose duty will be to record contemporaneously the answers given by the interviewee together with any supplementary questions asked or explanatory statements made by either party.

• At the start of the interview both auditors/inspectors should formally introduce themselves to the interviewee giving their names and positions.

• It is sensible for the auditor/inspector to explain at the outset the procedure to be followed and that if the interviewee does not wish to answer any question that fact will be recorded in the interview notes.

• There should be formal note taking. The taking of good notes may in fact be the difference between success and failure in a subsequent disciplinary or criminal investigation.

• Where someone (this may be a trade union representative, a solicitor, or a colleague) accompanies the interviewee it should be clearly explained at the commencement of the interview that their role is that of an observer to see that the interview is conducted fairly and not to answer on behalf of the interviewee.

• These interviews are not part of the disciplinary process but are conducted by the auditor/inspector in order to seek out the facts.

• In the case where an interviewee is not able to understand English or where the interviewing officer cannot speak or understand the language of the interviewee then an interpreter should also be present to record what takes place during the interview in the actual language which is used. (This record should then be formally certified as accurate and complete by the interpreter).

• Similar provisions will also need to be made when the interviewee is deaf and the auditor/inspector should contact the social services department of the local authority who should be able to provide assistance.

• Formulate a standard prefix sheet for use in all audit interviews. The following details should be recorded: r name of the interviewee r the place and date of interview r details of any “friend” accompanying the interviewee r the matters being investigated, and on whi ch the interviewee is to be questioned r the time of commencement of the interview, and r the details (i.e. names and positions) of the audit staff conducting the interview.

• The prefix sheet should incorporate a paragraph which sets out the

auditor’s/inspector’s authority to conduct the interview and seek explanations and information from the interviewee. This can be read out to the interviewee and will assist in precluding any dispute and consequent delay which might otherwise arise over the right of the auditor/inspector to carry out the interview.

• Before, during and after the interview nothing should be done in any way whatsoever which could be construed as duress to force the interviewee to answer in a specific way or even confess to an offence. An auditor/inspector tapping fingers on the desk could be interpreted as an act of duress and could bring the interview into question in any future court hearing.


• The auditor/inspector should always be alert to the behaviour/responses/reactions of the suspect.

• Include a question in the interview which allows the interviewee to make any comments which they may wish to add and have recorded in the interview notes.

11.10 Interview Notes

Audit interviews are normally recorded by the use of contemporaneous notes taken by a member of the audit staff as the interview proceeds. This process should be explained to the interviewee at the commencement of the interview.

Auditors/inspectors are not trained shorthand writers and so cannot normally be expected to produce a complete verbatim record of the answers given at interview but the person taking notes should record the answers given as fully as possible. There is a danger that the note taker might disregard, or fail to record an apparently trivial statement made by the interviewee which is in fact of singular significance to the case, but which could not later be introduced as evidence if it is not recorded in the interview notes. To this end, where particularly complex investigations require such interviews it is perhaps appropriate that the person taking notes is fully conversant with the case in order to minimise the risk of any significant comment not being recorded. The recording of the interview fully and correctly is a vital aspect of the whole investigation, both from the point of view of the auditor/inspector and the interviewee. This applies whether or not the interview is being tape recorded.

Where an audit interview continues for any length of time, the offer of breaks and their acceptance, or refusal by the interviewee must be recorded, together with the relevant times in the contemporaneous notes taken of the interview. Any complaints raised by the interviewee should also be recorded in the interview notes. When the interview has been completed, any sheets containing predetermined questions which were not asked, should be removed.

The interviewee should be invited to read the interview notes which have been taken and should be given the opportunity to make any additions, deletions or amendments which are considered necessary. When any such alterations have been made and the interviewee agrees that the notes are a complete and accurate record of the interview they should then be asked to sign each page of the interview notes and to initial any alterations which have been made.

Once this has been done, and in the presence of the interviewee the auditor/inspector who has taken the notes should: r consecutively number the pages of notes, e.g. 1 of 10 etc r cross through all blank spaces on the pages of notes to demonstrate to the

interviewee that nothing can subsequently be added to the agreed interview notes r sign each page of notes, together with the auditor/inspector who has conducted

the interview, and r enter on the last page of notes the time at which the interview ended.


11.10.1 Refusal of the interviewee to sign the notes taken

It may arise that an interviewee will refuse to sign the notes taken of the interview. The circumstances of the refusal should in those cases be noted on the last sheet of the interview notes, preferably in the presence of the interviewee, and the notes should be signed by the two auditor/inspectors who conducted the interview. Under no circumstances whatsoever should the interviewee be pressured into appending a signature.

11.10.2 Cautioning

It is appropriate at this point to examine the circumstances of cautioning a suspect.

The objective of an audit interview is to establish facts and this applies equally to interviews with suspects in an investigation. It may well be that a suspect will provide apparently genuine explanations for the actions which have prompted the audit investigation, and which the auditor/inspector will subsequently need to follow-up and verify.

A caution should be issued to a person where there are grounds to suspect that they may have committed an offence before any questions about the offence are put. This is therefore an important consideration for the auditor/inspector when undertaking suspect interviews. Even though an auditor/inspector may have accumulated substantial amounts of evidence during the investigation which could be seen as suggestive of the guilt of the suspect there may well be other possible explanations.

Having discussed the situation informally as previously suggested with the local police, the auditor/inspector should not be in a position at the start of any suspect interview where it would be required to issue a caution at the outset. If the suspicion were strong enough for that to be necessary the case should normally be referred to the police.

It is perhaps appropriate to help prevent any future dispute for the auditor/inspector to explain to the suspect at the outset of the interview that the purpose of the interview is to establish facts and obtain explanations. This statement should be fully recorded in the interview notes.

As the interview proceeds however, it may be that the answers given by the suspect, coupled with other evidence known to the auditor/inspector, give rise to clear grounds to suspect that the interviewee has carried out a fraudulent act or indeed the suspect may confess.

At this point, if the auditor/inspector is to avoid any evidence obtained from the interview ruled to be inadmissible in any subsequent criminal proceedings, the auditor/inspector may take one of two courses of action: r terminate the interview at that point and refer the investigation to the police for

further action; or r issue a caution to the suspect, before proceeding with any further questioning.


The words to be used to give such a caution should be:

“You do not have to say anything. But it may harm your defence if you do not

mention when questioned something which you later rely on in court. Anything you do or say may be given in evidence”.

The fact that the caution was given, the words used, and the time that the caution was given must be recorded in the interview notes. The interviewee must also be formally reminded that they are still under caution after any subsequent breaks in the interview and this must also be recorded and timed in the interview notes.

11.11 Voluntary Statements under Caution

In certain circumstances the interviewee may not wish to answer any further questions but may wish to make a statement to the auditor/inspectors. If the interviewee wishes to write out this statement personally then the statement should begin with this declaration:

“I make this statement of my own free will. I understand that I do not have to say anything but that it may harm my defence if I do not mention when questioned something which I later rely on in court. This statement may be given in evidence.”

This should be followed by the signature of the i nterviewee. The interviewee should, on completion of such a statement, be invited to re-read what has been written and be given the opportunity to make any amendments before signing the statement.

Where the interviewee wishes to make a statement rather than answer further questions but wishes the interviewing auditor/inspector to write down what is said the statement should be prefixed as follows:

“I, wish to make a statement. I want someone to write down what I say. I understand that I do not have to say anything but that it may harm my defence if I do not mention when questioned something I later rely on in court. This statement may be given in evidence.”

In these circumstances what is said by the interviewee must be recorded verbatim and upon completion the interviewee should be asked to read through what has been written, and should be allowed to make any alterations, additions or corrections. Any such changes must be initialled by the interviewee. When the statement has been agreed the following certificate should be added, at the end of the statement, by the interviewee:

“I have read the above statement, and I have been able to correct, alter or add anything I wish. This statement is true, I have made it of my own free will”.

This certificate should then be signed by the interviewee.


11.11.1 Offers of resignation/restitution

• If during the course of an interview the interviewee offers to resign then the

auditor/inspector should not accept it but should refer the individual to the manager/personnel officer and record the offer in the interview notes.

• Auditor/inspectors should not accept money in restitution of an offence at interview as it may be construed as being obtained under duress and legal advice should be taken afterwards.

• Any offer of restitution should be incorporated in the interview notes. • The auditor/inspector should not enter into any discussion on ‘doing a deal’

whereby the employee will pay restitution in order for the matter not to be referred to the police etc.

11.12 Other Relevant Areas

11.12.1 The use of audit notes as evidence

As a general principle evidence is essentially fact and not impressions or opinions formed or conclusions drawn.

Throughout the investigation of any fraud, situations will occur and conversations take place which are material to the matter under investigation, for example, the content of a telephone call to an outside organisation to confirm or otherwise alleged events will be very important to the direction of the investigation. In any such situation any auditor/inspector involved must either at the time, or immediately afterwards make a formal note of what has taken place. The object of such notes is to assist the auditor/inspector to:

r produce an honest and factual statement of evidence if subsequently required

by the police or as part of formal disciplinary proceedings, and r refresh the auditor/inspector’s memory and bring all aspects clearly to mind

should the auditor/inspector later be called on to give evidence either in a disciplinary or criminal hearing.

11.12.2 Rough notes made during conversations, etc

Occasionally the auditor/inspector will not be able to follow formal interview procedures when speaking to persons connected with an investigation as in some cases the person concerned will not be an employee of the organisation and the auditor/inspector has no authority to interview formally in such cases. The evidence which these people have to give, however, may still be very material to the investigation and in such circumstances the auditor/inspector should record the contents of the interview as contemporaneous rough notes. These notes should be made in the manner most appropriate to the circumstances but should attempt to cover the essential facts disclosed. As soon as possible after completion of the conversation the rough notes should be used by the auditor/inspector(s) to produce a full written note of what has occurred. These notes should be signed by the auditor/inspector(s), timed and dated, and where possible the rough notes attached. Notes made on this basis may be acceptable to the police in any subsequent criminal investigation.


Such notes are also generally accepted by the courts for use by a witness when giving evidence but the courts may, on occasion, rule that only the rough notes made contemporaneously may be used. It is therefore important that these notes be as detailed as possible and are retained intact.

11.12.3 Conclusion of the investigation

Having conducted the interviews necessary to complete the auditor/inspector’s knowledge of the situation disclosed by the investigation the auditor/inspector must draw together all the evidence obtained from the investigations and formulate the conclusions based on all the evidence so that the audit report can be prepared.

At this stage the auditor/inspector must take full account of all their investigations in reaching their conclusions. It is also important that conclusions are only based on fact. It may well be prudent to obtain legal advice from within the organisation before finally determining the conclusions of the investigation.

The need to obtain legal advice on the evidence resulting from the investigation

In almost every fraud investigation some legal advice on the strength of the evidence obtained will be required. This may be: r informal - an off the record discussion with a member of the organisation’s legal

staff r a referral of a draft report for specific examination as to whether the evidence

disclosed is strong enough to warrant referral to the police r a formal referral to outside counsel for advice both on the case and perhaps

proper procedures for investigation/reporting when the culprit is covered by a detailed and specific nationally laid down disciplinary code.

It must always be remembered that the legal opinion obtained is purely that, an expression of opinion, and must not ever be regarded as definite and infallible prediction of the outcome of any investigation/criminal action. The opinion given can only be formed from the information available. Therefore any omissions or errors in that information, or subsequent discoveries (unforeseen when the information was provided) will effect the validity of the opinion which is drawn from the information supplied.

The following expressions are those generally used by the legal profession when giving an opinion on the strength of evidence, and can be interpreted as shown below:

“The evidence should be sufficient to support successful proceedings”

This can be taken as legal opinion that the evidence obtained should be more likely to result in conviction of the culprit than in the acquittal.


“The evidence should be sufficient to support a prima facie case”

This can be taken to mean that the evidence disclosed is evidence of the essential facts of the case which are required to undertake a prosecution but that there are sufficient factors (which would normally be detailed in the opinion) to suggest that the prosecution could fail.

“The evidence is not sufficient to support proceedings”

This is basically self explanatory in that it means that the evidence produced does not prove one or more of the essential facts necessary to secure the conviction of the culprit, for example obvious lack of creditability of some witness(es) or failure to prove the connection between the fraudulent action and the culprit.

Such advice will normally detail the deficiencies in the evidence produced and where possible suggest what is required to remedy these deficiencies.

In certain circumstances, although the evidence produced may well be sufficient to ensure prosecution there may be certain features, either of the case and its circumstances or the culprit which would make the case unlikely to succeed, and therefore to make the prosecution of the case contrary to the interests of the organisation. If such features exist, they should be brought to attention in any legal opinion obtained.

Such features include: r the serious ill health of the culprit r the “staleness” of the offence, and r the age or youth of the culprit.

11.13 Components of an Appropriate Anti-Fraud and Irregularities Culture

• An anti-fraud & irregularities culture refers to an attitude of mind, not a list of rules.

• Issues that may suggest the existence of an appropriate anti-fraud & irregularities culture include:

§ Fair treatment of employees/customers and suppliers, in areas such as staff

performance and development evaluation tied in with coaching and counselling. § Managers and staff who understand business and risks. § Segregation of duty between risk-takers and recorders. § Regular two-way communication, encouraging challenges to managers. § An ethics policy and contingency plan that are regularly reviewed, tested,

updated and approved. § Staff accountability for maintaining adequate control s. § Appropriate anti-fraud & irregularities training. § An emphasis on staff’s responsibility to report fraud & irregularities and the

existence of appropriate escalation procedures. § Provision of a fraud & irregularities hotline for reporting fraud & irregularities. § The existence of an internal audit department of an appropriate size. § An emphasis on recruiting staff with high integrity. § Regular discussion and knowledge sharing with others in the same

business/industry


E S A A G

APPENDIX 1 ESAAG INTERNAL AUDITING GUIDELINES

for

East and Southern Africa Association of Accountants General

February 2001

INTERNAL AUDITING GUIDELINES

for

The East and Southern African Association of Accountants General

CONTENTS

PAGE

1. Introduction 1

2. Nature, Objectives and Scope of Internal Audit 1

3. Internal Audit Independence 7

4. Managing Internal Audit 12

5. Professional Proficiency 15

6. Relationships 20

7. Internal Audit Planning 23

8. Approaches to Internal Audit 26

9. Reporting, Monitoring and Follow-up 28

Glossary of Technical Internal Audit Terms 32

1

1. INTRODUCTION

1.0 These Internal Auditing Guidelines are recommended to all government institutions in member countries.

These may include Ministries, Departments, Regions, and other public sector organisations or entities,

where appropriate. The Guidelines are prepared in compliance with the “Standards for the Professional

Practice of Internal Auditing” developed by the Institute of Internal Auditors and international best

practice in public sector Internal Audit.

1.1 The guidelines are intended to provide best practice principals rather than specific guidance on Internal

Audit procedures and techniques. Each professional Internal Auditor should hold the general skills and

knowledge of Internal Audit practice.

1.2 A brief explanatory note to facilitate a clear understanding of the guidelines is included before each

guideline.

1.3 These guidelines provide criteria by which Internal Auditing in the Public Sector in member countries

should be measured and evaluated.

1.4 Any standards or guidelines should be dynamic to keep up to date and these guidelines will be revised

from time to time as necessary.

2. NATURE, OBJECTIVES AND SCOPE OF INTERNAL AUDIT

2.0 Explanatory Notes:

2.1 This guideline explains the nature, objectives and scope of Internal Auditing and indicates the range of

responsibilities that Internal Audit should cover. The Head of Internal Audit should ensure that each

Accounting Officer (see Glossary of Technical Internal Audit Terms at the end of these Guidelines) in the

public sector organisations for which they are responsible are aware of the full range of activities that fall

within the scope of Internal Audit.

2.2 Nature: The Institute of Internal Auditors defines Internal Auditing as "an independent objective

assurance and consulting activity designed to add value and improve an organisation's operations. It

helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate

and improve the effectiveness of risk management, control and governance processes."

2

2.3 Internal Audit should be an independent function or division within the public sector organisation. It

assists management by reviewing, assessing and helping to improve the internal control system. Internal

Auditors work with Accounting Officers and other managers to help to improve internal controls within

their public sector organisation and so reduce the risks the Government faces in achieving its objectives

to an acceptable level. Internal Audit undertakes reviews of individual systems and processes. As a

result, recommendations are made to the relevant Accounting Officer on how internal controls could be

improved.

2.4 Scope: The scope of internal audit needs to cover the systematic review, appraisal and reporting of the

adequacy of the systems of managerial, financial, operational and budgetary control and their reliability

in practice, including:

• the relevance of established policies, plans and procedures, the extent of compliance with these

• the appropriateness of organisational, personnel and supervision arrangements

• the extent to which assets and interests are accounted for and safeguarded from losses of all kinds

arising from waste, extravagance, inefficient administration, fraud or other causes

• the appropriateness, reliability and integrity of financial and other management information and the

means used to identify, measure, classify, report and act upon that information

• the integrity of computer systems, including systems under development

• the follow-up action taken to remedy previously identified weaknesses.

2.5 The actual areas reviewed by Internal Audit should be determined by a risk assessment that guides

Internal Audit planning (see Guideline Seven).

2.6 There should be an Internal Audit service for all public sector and government organisations including

the armed and secret services.

2.7 Objectives: Internal Audit should operate in partnership with management by helping to enhance their

accountability, transparency and corporate governance. This is achieved by identifying and evaluating

their internal control systems and making recommendations for improvements and refinements to these

systems.

2.8 Internal Audit assists Accounting Officers by evaluating and reporting on the elements of the internal

control system for which the Accounting Officer is responsible. It is not, however, an extension of, or a

substitute for, effective internal controls. Responsibility for internal control rests fully with the

Accounting Officer, who should ensure that appropriate and adequate arrangements for internal control

exist in addition to any Internal Audit activity in their public sector organisation. It is for the Accounting

Officer to decide whether or not to accept and implement Internal Audit findings and recommendations.

3

However, the Accounting Officer should be responsible to an Audit Committee and the Public Accounts

Committee for ensuring that prompt and effective action is taken to address Internal Audit's findings. An

Audit Committee may assist in ensuring that prompt and effective action is taken in response to audit

recommendations.

2.9 Internal Audit may undertake checks that individual items of expenditure are necessary and have been

authorised as required. This may be undertaken before the payment is made (pre-audit) or may be

undertaken later (post-audit). Internal Audit may also be required to undertake independent checks on

stores and fixed assets. However, international best practice suggests that the core element of Internal

Audit work should be systems audit. The objective of systems audit is to improve the controls operated by

management rather than Internal Audit acting as a control itself.

2.10 If Internal Auditors undertake pre-audit, they should not also undertake system reviews of the same

transactions or systems.

Advantages and Disadvantages of Pre-Audit

Advantages Disadvantages

Could help to ensure that expenditure is necessary and appropriate.

May reduce officers' responsibilities for internal control. Managers may not check payments properly, but rely on Internal Audit to do these checks.

Could help to ensure that expenditure is properly authorised before payment is made.

Payments may be delayed until Internal Audit has completed their checks.

Could help to prevent management fraud. It may be an inefficient use of valuable Internal Audit time.

Could help to reduce the incidence of fraud or irregularity.

Could provide an opportunity for unethical Internal Auditors to seek bribes.

Could help to confirm the existence of projects, supplies and stores.

Could relax Internal Audit objectivity when doing systems audit work.

Could put Internal Audit security at risk.

2.11 In some countries, Internal Audit may be required to undertake pre-audit. Where this is the case

consideration should be given to reducing this role. This could be achieved by only undertaking pre-audit

on larger payments or those that are particularly vulnerable to fraud or irregularity. Public sector

organisations with good internal controls could be rewarded with a reduced requirement to have their

expenditure subject to pre-audit.

4

2.12 Internal Audit is not necessarily best suited to under take investigations into suspected fraud, corruption

or irregularity. This is a specialised function that requires expert knowledge and experience. The

approach to fraud investigation is different to that used in routine Internal Audit work. For these reasons,

where possible, fraud investigations should be undertaken by a special unit.

2.13 Internal Audit can:

• independently review and appraise the systems of control throughout the public sector organisation

(not just the financial controls);

• recommend improvements to internal controls;

• ascertain the extent of compliance with procedures, policies, regulations and legislation;

• provide reassurance to management that their policies are being carried out with adequate control of

the associated risks;

• facilitate good practice in managing risks;

• save money by identifying waste and inefficiency, and by facilitating the spread of good practice;

• avoid duplication of effort by an effective partnership with the Auditor-General and other review

agencies;

• by its activities help to ensure that assets and interests are safeguarded from fraud, deter fraudsters

and possibly identify fraud.

2.14 The existence of Internal Audit in a public sector organisation should not cause a general relaxation or

vigilance on the responsibility of the line managers. It is not the responsibility of Internal Audit to detect

and/or prevent fraudulent activities and irregularities. This is the responsibility of all officers, managers

and the Accounting Officer.

GUIDELINE ONE: NATURE, OBJECTIVES AND SCOPE OF

INTERNAL AUDIT

1

NATURE OF INTERNAL AUDIT

Internal Auditing is an independent objective assurance and consulting activity

designed to add value and improve an organisation's operations. It helps an

organisation accomplish its objectives by bringing a systematic, disciplined approach

to evaluate and improve the effectiveness of risk management, control and governance

processes. The effect of Internal Audit should be continual improvements and

refinements to the internal control system as a contribution to proper, economic,

efficient and effective use of government resources.

5

2

OBJECTIVES OF INTERNAL AUDIT

Internal Audit has two main objectives. These are to:

a) ensure that internal control and risk management systems are continually being

improved and optimised in response to an ever changing environment;

b) provide reasonable assurance to the relevant Accounting Officer and the Audit

Committee that significant risks in the public sector organisation are being

appropriately managed, with an emphasis on the role of internal controls.

3 The way that these objectives are achieved will vary between countries and

organisations. This leads to a variety of different approaches to Internal Audit. This

subject is covered in the Guideline below on Approaches to Internal Audit.

4 The Head of Internal Audit should be consulted when the Accounting Officer wishes to

change the system of internal control. The Head of Internal Audit should be required

to co-ordinate inter-ministerial or departmental issues concerning control.

5 If Internal Auditors are used to investigate potential fraud or irregularity they will need

specialist knowledge and experience. An expert team should be created to investigate

cases of actual or potential fraud and irregularity.

6

INTERNAL CONTROL

Internal control has been defined by the Committee of Sponsoring Organisations of the

Treadway Commission (COSO) in Internal Control – Integrated Framework, as:

'A process, effected by an entity’s board of directors, management and other

personnel(people), designed to provide reasonable assurance regarding the

achievement of objectives in the following categories:

• Effectiveness and efficiency of operations; (basic operational objectives,

performance goals and safeguarding resources)

• reliability of financial reporting

• compliance with applicable laws and regulations.'

7 Internal control is a management tool used to provide reasonable assurance that the

public sector organisation's objectives are being achieved efficiently. Internal control

covers the whole system of controls, policies and procedures established by

management to meet their targets and objectives.

6

8 The responsibility for the adequacy and reliability of internal controls rests with

management. The relevant Accounting Officer has overall responsibility for the

establishment and maintenance of internal controls within their area of responsibility.

The Accounting Officer of each public sector organisation should ensure that proper

internal controls are introduced, reviewed, and updated to keep them effective. An

Audit Committee can assist with this role.

9

SCOPE OF INTERNAL AUDIT

The potential scope of Internal Audit is the whole system of internal control established

by a public sector organisation. This may include controls over all the organisation's

activities, not just controls over financial accounting and reporting. Internal Audit

should review all significant operational and management controls, including policies

and procedures for the management of risk. However, Internal Audit should

concentrate its efforts on the high risk areas and the most important internal controls.

10 The Accounting Officer and Audit Committee should not restrict Internal Audit to

work on financial systems or checking that assets are safeguarded. Internal Audit work

should go beyond the accounts to check that public officials and others entrusted with

public resources are:

a) complying with applicable laws and regulations

b) achieving government objectives and desired services or benefits established by the

public sector organisation.

11 The Audit Committee and the Accounting Officers should ensure that Internal Audit

has the widest scope to ensure that internal controls across the whole public sector

organisation may be subject to review by Internal Audit.

12 Internal Audit should have unrestricted access to all the people, systems, documents

and property it considers necessary for the proper fulfilment of its responsibilities.

7

3 INTERNAL AUDIT INDEPENDENCE

3.0 Explanatory Notes:

3.1 Internal Audit should be sufficiently independent from line management to ensure that Internal Audit's

professional judgements and recommendations are objective and impartial. To be effective, Internal

Audit needs to have adequate authority and report at a sufficiently senior level within the public sector

organisation. As a result, the Head of Internal Audit should report (for pay and rations) at a level at least

equivalent to the Accountant-General in the Ministry of Finance or the Permanent Secretary in other

ministries. Internal Audit should also report to an Audit Committee and have a direct reporting line to

the Accounting Officer.

3.2 It is generally considered that Internal Audit should not report to a manager if Internal Audit regularly

reviews systems that this manager is directly responsible for. For this reason, in some countries it is

considered inappropriate for the Accountant-General to be responsible for Internal Audit. The reason for

this is that the Accountant-General is the accounting advisor to the Permanent Secretary in the Ministry

of Finance and is also in charge of the treasury and the national accounts. The Head of Internal Audit

regularly reviews systems that the Accountant-General is responsible for and so should not report on

these systems to the same officer.

3.3 Internal Audit will achieve respect through the status it is given in a public sector organisation. For the

individual Internal Auditor, objectivity is essential to ensure an attitude of mind characterised by

integrity, steadfastness and an impartial approach to work. Objectivity may be impaired through

familiarity both with systems and non-audit staff. This may occur if Internal Audit staff are involved with

the same work assignments and ministerial officers for several years.

3.4 Internal Audit should take its authority and terms of reference from the Audit Committee and Accounting

Officer to whom the Head of Internal Audit should report and have the right of direct access. Internal

Audit's terms of reference (or charter) should clearly outline the nature, objectives, responsibilities and

scope of Internal Audit. Internal Audit’s terms of reference should be approved by the Audit Committee

subject to applicable legislation.

8

3.5 The written terms of reference for Internal Audit should clearly:

a) establish Internal Audit's position within the organisation

b) establish Internal Audit's right of access to all records (both electronic or otherwise), assets,

personnel and premises, and its authority to obtain such information and explanations, as it considers

necessary to fulfil its responsibilities

c) define the scope of Internal Auditing activities.

3.6 Objectivity is an independent attitude of mind that Internal Auditors should maintain when performing

Internal Audit work. It is important that Internal Auditors always retain a critical edge in undertaking

their work. Internal Auditors need to be sceptical in discussions with officers and to obtain an adequate

level of proof from Audit testing.

3.7 Objectivity requires Internal Auditors to carry out Audits in such a way that the quality of their work or

their honest belief in the results of that work is not compromised. Internal Auditors should not be placed

in situations in which they feel unable to make objective professional judgements.

3.8 Internal Auditors should not be placed in situations in which they feel unable to make objective and

impartial professional judgements. If any of the situations referred to below arise, Internal Auditors

should inform their Head of Internal Audit so that alternative arrangements for the Internal Audit

assignment may be made:

(a) Internal Auditors, notwithstanding their employment by the organisation, should be free from any

conflict of interest arising either from professional or personal relationships or from pecuniary or other

interests in an organisation or activity that is subject to Audit.

(b) Internal Auditors should be free from undue influences, which either restrict or modify the scope

or conduct of his work or over-rule or significantly affect judgement as to the content of the Internal Audit

report.

(c) Internal Auditors should not allow their objectivity to be impaired when Auditing an activity for

which they have had authority or responsibility in the past.

(d) Internal Audit should be consulted about significant proposed changes to the internal control

system or the implementation of new systems. Internal Audit may make recommendations on the

standards of control to be applied without prejudicing Internal Audit's objectivity in reviewing those

systems at a later date.

9

(e) Internal Auditors should not normally undertake non-Audit duties, but if they do, exceptionally,

they should ensure that management understands that they are not then functioning as Internal Auditors.

3.9 International best practice suggests that Audit Committees should be established. Audit Committees are

generally considered to improve the independence of Internal Audit. Audit Committees should be

established for each public sector organisation. Members of an Audit Committee, especially the chair,

should be chosen so that they are sufficiently independent from the senior managers of the public sector

organisation and so they are suitably experienced. An Audit Committee may deal with more than one

organisation.

3.10 The role an Audit Committee with regard to Internal Audit is that it should:

• approve Internal Audit's strategic and operational plans and review performance against them

• discuss with Internal Audit its findings and the responses of management to its major

recommendations; and, periodically, its views on the overall quality of internal control

• consider the objectives and scope of any additional ( non-audit work) work undertaken by the Internal

Auditors to ensure there are no conflicts of interest and that independence is not compromised

• review the adequacy of the Internal Audit function, its adherence to professional standards,

particularly independence, standing, scope, resourcing, its liaison with the Auditor-General and other

review agencies and its reporting arrangements

• meet regularly two or three times a year and meet with the Internal Auditors at their request as they

deem necessary

• through its Chair represent the concerns of Internal Audit to the relevant Accounting Officer,

Permanent Secretary or Minister

• be involved in the process of appointment or dismissal of the Head of Internal Audit

• periodically review the Internal Audit terms of reference.

10

GUIDELINE TWO: INTERNAL AUDIT INDEPENDENCE 13 Internal Auditors should be objective, and, as far as possible, operationally independent

of the management of the public sector organisation.

14 Internal Audit independence should permit it to provide impartial and unbiased

judgements that are essential for its proper function. Internal Audit independence

should also ensure that the Head of Internal Audit can report without 'fear or favour' to

all levels within the public sector organisation. Internal Audit independence can be

ensured through status and objectivity.

15 It is the responsibility of the Accounting Officer and the Audit Committee to ensure

that conflicts of interest do not arise and that Internal Audit’s objectivity and

independence are not compromised. If the independence or objectivity of Internal

Audit is impaired, in fact or appearance, the details of the impairment should be

disclosed to the Accounting Officer and the Audit Committee.

16

STATUS

The Head of Internal Audit should be responsible to an individual with sufficient

authority to promote Internal Audit independence and to ensure the broadest Internal

Audit coverage, adequate consideration of Internal Audit reports and appropriate action

on Internal Audit recommendations. Internal Audit needs the support of top

management officials so that they can gain the co-operation of officers and perform

their work without interference. Internal Audit should have a direct reporting line to

the Accounting Officer and the Audit Committee.

17 The Head Internal Auditor should report to the Accounting Officer and an Audit

Committee.

18

TERMS OF REFERENCE

Internal Audit should have written terms of reference (or charter) that are agreed by the

Accounting Officer and the Audit Committee. These should clearly outline the nature,

objectives, responsibilities and scope of Internal Audit. The Head of Internal Audit

should actively seek to develop and obtain approval of such terms of reference. The

terms of reference should be reviewed and revised, if necessary, at least every three

years.

11

19 The terms of reference for Internal Audit should include the requirement for Internal

Audit to have the access, to all personnel, records, assets and property that Internal

Audit considers necessary for it to undertake its work effectively.

20 The terms of reference for Internal Audit should be supported by a law, by-law or

regulation that specifies the position of the Internal Auditor in the government

hierarchy.

21

OBJECTIVITY

The term objectivity includes the requirement on the part of Internal Auditors to have

an independent mental attitude to the performance of their work. Objectivity should

ensure that Internal Auditors have an honest belief in their work product and that no

significant quality compromises are made.

22 Internal Auditors should not be placed in any situation where they feel unable to make

objective professional judgements. Objectivity may be impaired through familiarity,

with both systems and officers. This may be created by Internal Audit staff being

involved with work assignments for too long a period of time. In order to maintain

maximum awareness and motivation amongst Internal Audit staff, work assignments

should be rotated on a planned basis. Transfers of Internal Audit staff between public

sector organisations are to be recommended, every few years, where possible.

23 Internal Audit assignments should be undertaken in such a way that there is no

potential or actual conflict of interest. Internal Audit staff should not undertake Audits

of systems if they worked in this area in the last year. Internal Audit staff should

declare any conflict of interest that may arise.

24 Recommending standards of control for new systems or reviewing procedures before

they are implemented is part of Internal Audit work. However, designing, installing

and operating systems is not an Internal Audit function. Performing such work is

presumed to impair Internal Audit objectivity.

25

POSITION

The position of Internal Audit should be categorised specifically as a Staff function as

opposed to all Line Functions. Internal Auditors should not supervise or manage other

sections or activities. If Internal Auditors perform non-audit work they are not

functioning as Internal Auditors. Performance of such activities is presumed to impair

Internal Audit objectivity. Therefore, the Internal Auditor should not undertake

executive functions outside their divisional activities.

12

26 The position of Internal Audit within the public sector organisation should be high

enough to ensure that there is no impairment of Internal Audit scope.

13

4 MANAGING INTERNAL AUDIT

4.0 Explanatory notes:

4.1 The appointment of appropriate staff is important to the success of Internal Audit. Internal Auditors must

be able to develop good working relationships with all officers. Internal Auditors must also be able to

quickly understand how systems work and be able to identify suitable improvements. The Head of

Internal Audit should ensure that all their staff are appropriately trained and receive suitable guidance.

4.2 Controlling: Internal Audit work should be controlled at all levels of operation to achieve objectives and

ensure the economic and efficient use of resources.

4.3 The Head of Internal Audit should continually monitor Internal Auditors' performance. Any significant

variations from work plans should be investigated and dealt with appropriately. The results of each

Internal Audit assignment or groups of Audit assignments should be reviewed against Internal Audit

plans. Efficiency should be assessed and any necessary revisions made to subsequent planned work.

4.4 Recording: The Head of Internal Audit should specify standards of Audit documentation, ensure that

those standards are maintained and monitor compliance with the standards.

4.5 Appraisal: Like any other department, Internal Audit should be constantly appraised to ensure that its

performance and value to the management of the public sector organisation is maximised. The Internal

Audit function is subject to budgetary constraints, in common with all other elements of the public sector,

therefore its value should continually be re-assessed. This appraisal or assessment should be undertaken

by Internal Audit managers and also periodically by independent suitably experienced external assessors.

The assessment should consider the views of the Accounting Officer and other senior managers on the

success of Internal Audit. It may also consider Internal Audit’s effectiveness and any appropriate

directional changes.

4.6 An Internal Audit management unit in the Ministry of Finance may assist in maintaining the quality of

internal audit across all public sector organisations and can assist with ensuring the independence of

Internal Audit. The Internal Audit management unit may have responsibility for the staffing, planning,

organisation and co-ordination of Internal Audit units in all public sector organisations. The

management unit may provide guidance to Internal Audit units in other public sector organisations,

monitor all Internal Audit reports, and co-ordinate training across the public sector. In some countries

Internal Audit units in all public sector organisations are managed by a central Controller of Internal

Audit in the Ministry of Finance.

14

GUIDELINE FOUR: MANAGING INTERNAL AUDIT 27 The Head of Internal Audit should effectively manage Internal Audit to ensure it adds

value to the public sector organisation and to ensure that:

(a) Internal Audit work fulfils its terms of reference

(b) resources for Internal Audit are used efficiently and effectively

(c) Internal Audit staff undergo suitable professional development

(d) Internal Audit work conforms to approved standards

(e) the morale of Internal Audit staff is developed and maintained.

28 The Head of Internal Audit should submit periodic activity reports to the Accounting

Officer and the Audit Committee. These reports should compare:

(a) actual performance with goals and Internal Audit plans

(b) actual expenditures with financial budgets.

The Head of Internal Audit should explain major variances (positive or negative) together

with action taken to address these.

29 The Head of Internal Audit should ensure that Internal Audit staff are provided with a

suitable Audit Manual including written policies and procedures to guide them with their

work. This guidance should also include programmes for particular Internal Audit

assignments. The Internal Audit programmes should specify reporting lines at each level

of management.

30 The Head of Internal Audit should ensure that the work of all levels of Internal Audit staff

is effectively supervised from planning to conclusion. This supervision should include:

(a) provision of suitable instructions and guidance at the outset of an Internal Audit

assignment and approving the Audit programme

(b) seeing that the approved Audit programme is carried out unless deviations are both

justified and authorised

(c) ensuring that Internal Audit staff understand the work to be undertaken and obtain and

document sufficient relevant and reliable audit evidence

(d) determining that Internal Audit objectives are being met.

15

31

MANAGEMENT REVIEW

All Internal Audit working papers and reports should be reviewed by Internal Audit

managers before the reports are released. This review should include:

(a) determining that Audit working papers adequately support the Audit findings,

conclusions and report

(b) making sure that Audit reports are accurate, objective, clear, concise, constructive and

timely.

32 Internal Audit working papers should show clear evidence of this management review.

33

QUALITY ASSURANCE APPRAISALS

There should be periodical reviews of Internal Audit performance to ensure that its

performance and value to the management of the public sector organisation is maximised

and to ensure compliance with appropriate standards and guidance.

34 The Head of Internal Audit should establish and maintain a quality assurance programme

to evaluate the operations of Internal Audit. This programme should provide reasonable

assurance that Internal Audit work conforms to relevant standards and these Internal

Auditing Guidelines. It should also ensure that Internal Audit adds value by improving

internal control. This quality programme should include:

(a) supervision (b) internal review

(c) external review.

35 Supervision of Internal Audit work should continuously ensure conformance with the

Institute of Internal Auditors Standards, these Internal Auditing Guidelines, department

policies and Audit programmes.

36 Internal reviews should be performed periodically by senior Internal Audit staff to

appraise the quality of the Internal Audit work that is undertaken in all public sector

organisations.

37 External reviews should be performed to assess the quality of Internal Audit work against

these Guidelines. These reviews should be performed by suitably qualified Internal

Auditors who are independent of the organisation and who do not have either a real or an

apparent conflict of interest. The external reviews should be undertaken at least once

every five years.

38 On completion of such reviews, formal written reports should be issued to the relevant

Accounting Officer and the Audit Committee. These reports should express an opinion on

Internal Audit's compliance with these Internal Auditing Guidelines and, where necessary,

should include recommendations for improvement.

16

5. PROFESSIONAL PROFICIENCY


5.1 In carrying out their duties Internal Auditors should exercise due professional care, that is competence

based on appropriate experience, training, ability, integrity and objectivity.

5.2 Due professional care is defined as carrying out Internal Audit work with competence and diligence. Due

care does not mean infallibility. Consequently Internal Auditors cannot provide absolute assurance that

non-compliance or irregularities do not exist. However, it will be incumbent upon the Internal Auditor to

consider the effect of significant weaknesses in the systems under review and evaluate the possibility of

material irregularity or non-compliance with the legislation and regulations when undertaking Internal

Audit.

5.3 Professional care requires the use of Audit skills and judgements based on appropriate experience,

training, ability, integrity and objectivity. The level of professional care to be exercised should be

appropriate to the objective and complexity of the Internal Audit work being performed.

5.4 In order to demonstrate due professional care, Internal Auditors should be able to show that their work

has been performed in the manner which meets the criteria set by these Internal Auditing Guidelines or

specific departmental policies.

5.5 Internal Audits should be performed by, or supervised and controlled by, Audit staff who have the

technical skills, experience and perspective which will enable them to comply with these Guidelines. This

is necessary to maintain Internal Audit's credibility as a dependable instrument of management.

5.6 The Head of Internal Audit should therefore ensure that Audit staff have the capacity to meet the

responsibilities identified by the terms of reference agreed with the Audit Committee and the Accounting

Officer.

5.7 The Head of Audit should ensure that all Internal Audit staff are reminded of their ethical responsibilities

and also ensure that their declarations of interest are reviewed, and where appropriate, updated at least

once a year.

17

5.8 Internal Auditors should not accept any gift or inducement from an officer, worker, supplier or other third

party. Information acquired by Auditors in the course of their work should not be used for unauthorised

purposes or for personal benefit or gain. Internal Auditors should only accept hospitality when this is

consistent with the public sector organisation’s documented arrangements.

5.9 The most important source of information for Internal Auditors is the staff working within the area subject

to Audit. These officers know how the system actually operates and should have a reasonable idea of how

practical any improvements may be. Thus interviewing skills are essential for all Internal Auditors.

Internal Auditors need to be able to understand what may be a complex system. Internal Auditors also

need to be able to critically assess each stage of the process. Why is its performed? Could it be

undertaken more efficiently?

5.10 Staff who operate the system will know what they do, but not necessarily why they do it. They may also

try and explain the system in the most positive light. The skill of Internal Auditors is to enable all the staff

they interview to open up and describe what they actually do (not just what they think they should do) and

to identify any aspects they think could be improved. Understanding why each step is taken is more

difficult. Staff may just do it “because we’ve always done it that way” or even worse “because the

Auditors told us to”!

5.11 An experienced Internal Auditor will ensure that the staff they talk to are relaxed and so describe the

system, its bad points as well as the good points. They will also challenge the staff to ensure that they

describe what actually happens and through discussion ascertain whether any improvements are possible

and practical.

18

GUIDELINE FIVE: PROFESSIONAL PROFICIENCY

39

Staffing

Internal Auditors should be appointed through free and open competition on the basis

of merit. The criteria used to fill Internal Audit posts should be suitable and clearly

documented. They should be developed after considering the level of required scope

and responsibility. Deliberate attempts should be made to ensure the proficiency and

qualifications of each prospective Auditor.

40

Compliance with Codes of Conduct

Internal Audit staff should follow existing codes of conduct and ethics for their

organisation. All professional Internal Audit staff should be members of the relevant

accounting or Internal Auditing professional body and follow their code of conduct or

ethics. All Internal Auditors should follow a professional code of conduct which calls

for:

a) high standards of honesty

b) high standards of diligence

c) high standards of loyalty.

41

Knowledge Skills and Discipline

Internal Auditors should be required to (individually) possess the knowledge, skills and

competencies essential to the performance of effective Internal Audit. Internal Audit

staff should be required to possess the following skills:

a) proficiency in applying Internal Auditing Guidelines

b) knowledge of techniques required to perform Internal Audit

c) proficiency in accounting principles and techniques (especially government

accounting)

d) an understanding of management principles and administrative procedures to

enable recognition and evaluation of the materiality and significance of deviations from

good and acceptable practice.

42

Human Relation and Communication

Internal Auditors should possess the skills required to deal with people and to

communicate effectively. They should cultivate harmonious relationships with officers

and managers. Internal Auditors should be proficient in oral and written

communication to enable effective reporting.

19

43

Continuing Education

Training of Internal Auditors should be a planned and continuous process at all levels

and should be designed to cover:

a) basic training providing the minimum level of skills and knowledge which all

Internal Auditors should possess

b) development training in Audit skills, techniques and behavioural aspects to

improve the effectiveness of those staff currently engaged as Internal Auditors

c) management training for those Auditors with responsibility for managing and

directing Audit teams, together with those staff members who show the potential for

management positions

d) specialist training for those Auditors responsible for a special field of Audit work

which requires specialist skills and knowledge, for example, computer auditing or

performance auditing.

44 Internal Auditors, as responsible Government officers, should be responsible for

continuing their education in order that they maintain their knowledge, skills and

proficiency. They should keep themselves informed on changes and developments in

their public sector organisation's activities and other Government developments.

Internal Auditors also need to be aware of developments across the Internal Auditing

profession.

45 If there is an Internal Audit management unit in the Ministry of Finance, this unit

should be responsible for the co-ordination of training requirements for all government

Internal Auditors. The foundation, from which the assessment of training requirements

of Internal Audit will be derived, should be the database of Internal Audit staff in all

public sector organisations.

46 Internal Auditors should be aware of their responsibility for continuing their education

on order to maintain their proficiency through participation in professional societies,

conferences and seminars, college courses, in-house training and engage in research to

identify new Internal Auditing developments.

47

Due Professional Care

The term due professional care means and includes the application of the care and skill

expected of a reasonable, prudent and competent Internal Auditor in the same or

similar circumstances.

20

48 In exercising due professional care, Internal Auditors should be alert to the following:

a) the possibility of intentional wrong doing

b) errors and omissions

c) inefficiency, waste, ineffectiveness

d) conflicts of interest

e) conditions and activities likely to give rise to irregularities

f) inadequate control situations.

49 In exercising due professional care the Head of Internal Audit is required to consider

the following:

a) the extent of Internal Audit work needed to achieve the Audit objectives

b) the relative complexity, materiality or significance of matters to which Audit

procedures are applied

c) adequacy and reliability of risk management and control processes

d) likelihood of material irregularities or non-compliance

e) the cost of Internal Audit work compared to potential benefits or the risk of poor

internal controls.

21

6. RELATIONSHIPS


6.1 Management and staff at all levels should have confidence in the integrity, independence and capacity of

Internal Audit. This should be reflected and maintained in good working relationships between Internal

Auditors and the staff in the sections that they review.

6.2 The Head of Internal Audit should seek to foster and maintain constructive working relationships with

stock verifiers, fraud investigators, inspectors and any other review staff. Consultations between Internal

Audit and review staff should lead to effective co-ordination and minimise duplication of work.

6.3 Internal Audit should not improperly disclose any information obtained during the course of their work.

Permission should be provided by senior management before any information is passed outside the

organisation. Internal Audit will, quite properly, reveal to appropriate responsible parties (for example,

police or Auditor-General) all material facts they have established which, if not so revealed, may prevent

the uncovering of unlawful acts or could distort Audit reports. The passing of this information should be

treated as confidential and legally privileged. That is the Internal Auditor will be exempt from any legal

liability from the passing of such information.

6.4 It is important for Internal Audit to market the services it can provide to managers. This could include

producing leaflets and making presentations to Accounting Officers and other senior officers on the

services, assistance and role that Internal Audit can play.

6.5 The relationship between Internal Audit and the Auditor-General's Office needs to take account of their

differing roles and responsibilities. Internal Audit is an independent appraisal function within the

organisation and Internal Auditors are direct employees. It is the Auditor-General's role to ensure that

the financial statements, operating performance and related statements are properly stated in all material

respects. Internal Audit and the Auditor-General may also have responsibility for performance audit to

ensure that economy, efficiency and effectiveness are improved.

6.6 The aim should be to achieve mutual recognition and respect, leading to a joint improvement in

performance and the avoidance of unnecessary overlapping of work. It should be possible for the

Auditor-General and the Head of Internal Audit to rely on each other's work, subject to limits determined

by their different responsibilities, respective strengths and special abilities. Consultations should be held

and consideration given to whether any work of either Auditor is adequate for the purpose of the other.

Internal Audit does not automatically have a right of access to the records of the Auditor-General.

22

However, the relationship between the Head of Internal Audit and the Auditor-General should be such

that the Auditor-General will allow access to the necessary records.

6.7 The Head of Internal Audit should seek, where appropriate, co-ordination of the plans of Internal Audit

with those of the Auditor-General's Office and the programme of, for example, stock verifiers. This co-

operation should promote the most effective total audit coverage and should avoid duplication of work.

The Auditor-General's Office will have to decide if they can place reliance on the work of Internal Audit

and so reduce the amount of work undertaken by their own staff.

6.8 The Head of Internal Audit should meet regularly with staff from the Auditor-General's Office to:

• discuss work plans for Internal Audit and the Auditor-General's Office

• agree and review the performance of the work relied on

• evaluate the relationships with the Auditor-General's Office and report as required to the

Accounting Officer and Audit Committee on this relationship

• agree access to each other's audit programmes and working papers

• exchange audit reports and management letters

• enhance understanding of each other's audit techniques and methods

• discuss any other matters of mutual interest.

GUIDELINE SIX: RELATIONSHIPS 50 Internal Audit’s relations with other staff in the public sector organisation, the Auditor-

General, stock verifies and other review agencies should be based on mutual

confidence, understanding of each others needs and a reciprocal desire for co-

operation. Management, at all levels should have complete confidence in the integrity,

independence and capability of the Internal Audit unit.

51 There should not be any form of rivalry or conflict between the Internal Auditors and

staff in the Auditor-General's Office. Similarly, there should be a constructive

relationship between Internal Auditors, stock verifiers and other review agencies.

23

52 The Head of Internal Audit should initiate action to ensure the development of co-

ordination, effective working relationships and the avoidance of duplication of work

with other review agencies. This could include:

a) liaison meetings to discuss matters of mutual interest

b) arranging for access to each other’s plans, system notes and findings

c) arranging for consultation on plans and proposed visits

d) reviewing training proposals to arrange joint training sessions where possible

e) dissemination of literature for discussion to promote understanding of techniques,

methods and terminology.

53 Copies of Internal Audit reports should be made available to the Auditor-General for

information and co-ordination.

54 Internal Auditors should be familiar with the legislation that defines the statutory

responsibility, duty and rights of access of the Auditor-General. The Head of Internal

Audit should recognise the differences between the roles of Internal Audit and that of

the Auditor-General.

55 The staff of the Auditor-General's Office may review the effectiveness of Internal

Audit as part of their evaluation of management control arrangements. This review

should determine the extent that the Auditor General's Office is able to rely on Internal

Audit work. Internal Audit should not necessarily undertake special tasks at the request

of the Auditor General's Office. However, routine, planned Internal Audit work may

be used by the Auditor General's Office for their own purposes.

56 The relationship between the Internal Auditor and the public sector organisation should

be considered legally privileged. That is the Internal Auditor will be exempt from any

legal liability from the proper undertaking of their work.

Internal Auditors should not release Audit findings or other information outside the

normal reporting arrangements without the knowledge and permission of those

concerned.

57 Internal Auditors should normally consult and advise managers when arranging Audit

visits to their department. The exception to this rule would be for unannounced

surprise visits.

24

7. INTERNAL AUDIT PLANNING


7.1 Internal Audit work should be planned at all levels of operation in order to establish priorities, achieve

objectives and ensure the efficient and effective use of Audit resources. Planning should be based on

Internal Audit's terms of reference and allow for coverage of all significant systems, operations, staff and

sites within the public sector organisation.

7.2 Internal Audit plans should be based on a comprehensive understanding of the public sector organisation

and the way in which it operates. High-risk systems or transactions and any known problem areas should

be clearly identified. The emphasis of the Internal Audit plan should be directed towards these systems.

7.3 Internal Audit plans should be developed in consultation with senior staff and the relevant Accounting

Officer. The appropriate Audit Committee should then approve the Internal Audit plans.

7.4 Internal Audit planning should include the following steps:

• identify all auditable activities within the agreed scope of Internal Audit

• carry out a risk assessment on these activities in conjunction with management, identifying categories

such as high, medium, low

• prepare an audit needs assessment based on the risk assessment

• develop an overall strategic plan from the audit needs assessment to cover these risks, over, say, a

three-year period

• bring to the Accounting Officer and/or the Audit Committee's attention any mismatch between Audit

needs and actual Audit resources

• identify systems to be covered in the first year of the strategic plan and prepare an annual Internal

Audit plan

• discuss the strategic and annual plans with appropriate senior managers, Accounting Officers and the

Auditor-General's Office and amend as necessary

• present the plans to the Accounting Officer and/or the Audit Committee for approval.

7.5 Internal Audit plans should be amended as necessary to take account of changing circumstances. The

Accounting Officer and the Audit Committee should formally approve all significant changes to the

Internal Audit plans.

GUIDELINE SEVEN: INTERNAL AUDIT PLANNING

25

58 The Head of Internal Audit should establish plans to carry out the responsibilities of

Internal Audit consistent with the public sector organisation's goals and objectives.

59 The Internal Audit planning process should include the following:

(a) identifying goals

(b) preparation of strategic Internal Audit plans

(c) establishing proper staffing plans and financial budgets

(d) preparation of activity reports.

60 Internal Audit plans should:

(a) establish a list of systems that could be Audited and prescribe a period within which it

is desirable that each significant system should be examined

(b) define the tasks to be performed

(c) assist in the direction and control of work by identifying critical areas, setting target

dates and allocating resources.

61 To be effective, the Head of Internal Audit should:

(a) define audit needs taking into account the Internal Audit's terms of reference

(b) identify the staff and other resources needed and reconcile these with available,

resources

(c) choose an appropriate time period for the Audit plans

(d) record all plans in writing

(e) monitor work against planned activity and revise plans as appropriate.

62 Internal Audit plans should be based on a risk assessment. The risk assessment process, to

be conducted at least annually, includes an assessment of:

a) relevant risks and their significance

b) consideration of senior management, the Accounting Officer and the Audit

Committee's professional judgement

c) identification of activities to be audited.

26

63 Internal Audit strategic plans should take into account the following factors:

(a) the date and results of the last Internal Audit assignment

(b) the estimated time required, taking into account the scope of the planned work and the

nature and extent of audit work to be performed by others.

(c) requests by management

(d) major changes in operations, programs systems, and controls

(e) staffing, planning and effective utilisation of financial budgets

(f) Internal Audit priorities

(g) flexibility to cover unanticipated demands on the department.

64 Internal Audit plans and staffing and financial budgets should be developed from strategic

plans, administrative activities, education and training requirements and research and

development efforts.

65 The Head of Internal Audit should submit annually to the Accounting Officer and Audit

Committee for approval a summary of Internal Audit's strategic plans, staffing plans and

financial budgets. All significant amendments to these plans should similarly be approved

by the Accounting Officer and Audit Committee.

66 The Head of Internal Audit should explain, if necessary, why the Audit needs are not

being met. This should prompt the relevant Accounting Officer to take action to ensure

that their public sector organisation is provided with sufficient Internal Audit resources.

27

8 APPROACHES TO INTERNAL AUDIT


8.1 There are several different approaches to Internal Audit. International best practice suggests that

systems audit is the most effective way that Internal Audit can add value to an organisation. However, in

many countries it is considered necessary for Internal Audit to complement systems audit with a pre-audit

approach. If a pre-audit approach is adopted the Head of Internal Audit, the Audit Committee and the

Accounting Officer should discuss the extent that this is necessary. They should also consider suitable

means of reducing the proportion of time that Internal Auditors spend on pre-audit work.

8.2 The systems approach to Internal Audit seeks to assess and improve the effectiveness of the public sector

organisation’s internal control system. The prime purpose of a systems Audit should be to evaluate the

extent to which the system may be relied upon to ensure that the objectives of the system are met. Where

internal controls are not adequate and reliable Internal Audit should make practical recommendations to

ensure that these controls are improved.

8.3 Internal Audit evidence should be adequate to meet the objectives of Audit assignments. Internal Auditors

should be satisfied with the nature, adequacy and relevance of Audit evidence before placing reliance on

that evidence. Information should be collected analysed and documented by the use of appropriate Audit

techniques.

8.4 The production of Audit evidence should be supervised and reviewed by the Head of Internal Audit. To

meet an acceptable standard the evidence should be sufficiently adequate and convincing to the extent

that a prudent, informed person would be able to appreciate how the Auditor's conclusions were reached.

8.5 Internal Audit may also complement its systems approach with other techniques, for example:

• performance auditing

• control self assessment

• advice and assistance on control issues

• helping with risk management.

GUIDELINE EIGHT: AUDIT APPROACH

28

67 Internal Auditors should ensure that their approach and methods enable them to discharge

their responsibilities effectively. This will involve careful thought and discussion with the

Accounting Officer, the Audit Committee and others on the most effective approach to

Internal Audit given the particular circumstances of the public sector organisation.

68 Internal Audit should assess and improve the public sector organisation's risk

management, control, and governance processes. The internal auditing activity should

assist the public sector organisation in maintaining effective controls. Assistance can be

provided by evaluating the public sector organisation's controls to determine their

effectiveness and efficiency and by developing recommendations for improvement.

Internal Auditors should ensure that the costs of maintaining controls balances the

potential benefits.

69

SYSTEM APPROACH

Internal Audit should, where possible, adopt a systems approach. The systems approach

aims to asses and helps to improve the control features that govern the system. This

approach should provide reasonable assurance that existing controls will ensure that each

system’s objective is achieved.

70 When undertaking systems audit an Internal Auditor should:

a) document and analyse the internal control system across all public sector organisations

and establish Internal Audit plans

b) identify and evaluate the controls that are established in individual systems to achieve

the public sector organisation's objectives in the most economic and efficient manner

c) obtain and record relevant, reliable and sufficient audit evidence to support their

findings and recommendations

d) report findings and recommendations for each individual system that is Audited

e) provide an opinion on the adequacy and reliability of the controls in the individual

system under review

f) provide periodic assurance based on an evaluation of the whole internal control system

across all public sector organisations.

71 The use of the systems approach should enable Internal Audit to confirm the following:

a) the official system

b) whether it is operating according to agreed guidance and regulations

c) whether the system is adequate

d) whether the controls are reliable.

29

72 The system's adequacy should be used to ascertain the following:

a) what should happen to achieve the system’s objectives

b) what could go wrong in view of the system's design

c) what has been done to stop things going wrong.

9 REPORTING, MONITORING AND FOLLOW UP


9.1 The findings and recommendations arising from each Internal Audit assignment should be promptly

reported to management. The recommendations should then be followed up to check that agreed action

has been implemented. A summary of Internal Audit findings, recommendations and activities should be

submitted periodically to the Accounting Officer and the Audit Committee.

9.2 In general Internal Audit reports should:

• state the scope, purpose, extent and conclusions of the Internal Audit assignment, including Internal

Audit's opinion on the adequacy of controls

• make recommendations that are appropriate and relevant, that call for action to correct identified

weaknesses or improve the efficiency of operations

• acknowledge the action taken, or proposed, by management.

9.3 Recommendations included in the Internal Audit reports should:

• be practical and provide constructive solutions to problems identified

• be sufficiently detailed to act as a guide for action and facilitate the efficient achievement of the

organisations objectives

• be prioritised based on the significance of the weakness identified.

30

9.4 Conclusions are the Internal Auditor's evaluations of the effects of the findings on the particular system

reviewed. They should:

• put the findings in perspective based on the overall implications and significance of the weaknesses

identified

• identify the extent to which the system's control objectives are being achieved and the degree to

which the internal control systems should ensure that the goals and objectives of the public sector

organisation are accomplished efficiently.

9.5 Management should be required to respond in writing to each Internal Audit report. Management and

Internal Audit should agree officer responsibility and target dates for implementation of agreed

recommendations. The responsibility for final editing of Audit reports should remain with the Head of

Internal Audit who should always retain the right to issue reports without further editing.

9.6 Follow-up activity is the process by which Internal Audit confirms that agreed recommendations have

been implemented by line managers. Internal Audit should periodically follow up Audit reports to review

and test the implementation of agreed Internal Audit recommendations.

9.7 The Head of the Internal Audit should submit to the Accounting Officer and Audit Committee, at agreed

intervals, a report of Internal Audit activity and results. The report should compare actual Internal Audit

activity against the annual Internal Audit plan and should clearly indicate the extent to which the total

Internal Audit needs of the public sector organisation have been met.

9.8 In the annual Internal Audit report the Head of the Internal Audit should give a formal opinion to the

Accounting Officer and Audit Committee on the extent to which reliance can be placed on the public

sector organisation’s internal control system. The attention of the Accounting Officer and Audit

Committee should be drawn to any major Internal Audit findings where action appears to be necessary

but has not been undertaken.

GUIDELINE NINE: INTERNAL AUDIT REPORTING

31

73 The Head of Internal Audit should report periodically to the Accounting Officer and the

Audit Committee on Internal Audit's purpose, authority, responsibility, and performance

relative to its plan. Reporting should also include significant risks and control issues,

corporate governance issues, and other matters needed or requested by the Accounting

Officer and the Audit Committee.

74 The findings and recommendations arising from each Internal Audit assignment should be

promptly reported to the Accounting Officer and others who are affected by the report.

The final Internal Audit report including any comments from the Accounting Officer

should be reported to the Audit Committee.

75 The Head of Internal Audit should have complete freedom in the way in which Internal

Audit findings are reported and to whom each report is issued. The Head of Internal

Audit should review and approve each final Internal Audit report before it is issued.

76 Internal Audit reports should contain all material facts known to the Auditor concerning

the system under review to avoid distortion or concealment of any unlawful or improper

practice.

77 Internal Audit reports should be regarded as confidential and exclusive to the public sector

organisation concerned except for privileged external reviews by the Auditor-General and

Permanent Secretary to the Treasury.

78 The Head of Internal Audit should submit monthly or periodic progress reports to the

Accounting Officer and the Audit Committee and explain significant deviations from

approved strategic plans, staffing plans and financial budgets.

79 The Head of Internal Audit should provide an annual report to the Accounting Officer and

the Audit Committee. This report should include:

a) the Head of Internal Audit's opinion on the adequacy and reliability of the whole

internal control system

b) the extent that the Internal Audit needs of the public sector organisation have been met

c) any significant Internal Audit findings where action appears necessary but has not

been taken

d) any systems within the public sector organisation where the internal controls are not

adequate and reliable

e) a comparison of actual Internal Audit activity against the agreed annual plan.

32

80

COMMUNICATING RESULTS

When communicating results of their work Internal Audit should:

a) oral reports may be issued and should be confirmed in writing

b) discuss conclusions and recommendations at appropriate ministerial, departmental or

regional levels before issuing final written reports

c) issue a signed written report after each Internal Audit assignment that is objective

clear, concise, constructive and timely.

d) give reports which clearly present the purpose, scope and results of the Audit

e) give reports with recommendations for potential improvement, suggestions of

corrective action and acknowledgement of satisfactory performance

f) obtain and include in the report the system managers' views about the conclusions or

recommendations

g) include the officer who is to implement each agreed recommendation and a target

dates for its implementation.

81

MONITORING AND FOLLOW-UP

Internal Auditors should follow up their reports to ascertain that appropriate action is

taken on agreed Internal Audit recommendations. Internal Audit should determine, with

appropriate Audit testing, that corrective actin has been taken and is having the desired

effect.

82 If the Accounting Officer does not agree with an Internal Audit recommendation or does

not ensure that agreed recommendations are implemented they should accept the

associated risks. The Audit Committee may advice the Accounting Officer to implement

an Internal Audit recommendation if it considers necessary to achieve sound internal

control.

83 The Auditor-General may review and report on the extent that Internal Audit

recommendations have been implemented. Internal Audit may also review the extent that

recommendations made by the Auditor-General have been implemented.

33

Glossary of Technical Internal Audit Terms

Accounting Officer – the head of a government ministry or department who is personally responsible for the management and internal controls of the ministry or department and any fraud or irregularity that may occur.

Adequacy of internal control – an assessment of the quality of internal control. Controls may be considered to be adequate if, when applied consistently, the controls should help to provide reasonable assurance that a control objective will be achieved. Auditor-General – the head of the government’s external audit service. The Auditor-General is responsible for certifying that the government accounts show a true and fair view, there has been a proper use of public funds and often for undertaking value for money reviews. Audit Committee – a high level committee, comprising, where possible, independent, non-executive members, with responsibility for overseeing the independent review of the framework of internal control, monitoring the Internal Audit function and the ex ternal audit processes. Audit Needs Assessment - an assessment undertaken by Internal Audit in consultation with managment to determine the extent of Internal Audit that is needed within an organisation and the frequency that particular systems should be reviewed. Control objectives – the objectives of a control system. Used by Internal auditors as a framework for undertaking systems auditing and so assessing the overall quality of the internal control system. Control Self Assessment – an approach to risk management, that may be faci litated by Internal Audit, that enables management to assess the risks and controls to the achievement of the organi sation’s objectives. It may include the development of a risk register that lists the main risks the organisation faces and an action plan for improvements to internal control. Head of Internal Audit - is a generic title for Chief Internal Auditor or Director of Internal Audit or any other equivalent title. Internal Audit - is an independent objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal Control - is a process, effected by an entity’s board of directors, management and other personnel (people), designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • effectiveness and efficiency of operations; (basic operational objectives, performance goals and

safeguarding resources) • reliability of financial reporting • compliance with applicable laws and regulations. Management - implies the Permanent Secretary and Accounting Officers in Ministries, or Controlling officers in Regions or other responsible officers in a public sector organisation. Performance Audit – an approach to Audit that aims to improve the economy, efficiency and effectiveness of operations. The objective of Performance Audit is to improve the value for money provided by a publ ic sector organisation. Public Sector Organisation – types of public sector entities, for example, ministries, departments, regions or districts, as examples of the range of possible governmental entities that may exist.

34

Reliability of Internal Control – an assessment of the extent that internal controls are applied consistently by all staff, at all times and in all circumstances. Risk – the chance (or probability) that one or more of the organisation’s objectives will not be achieved. It may refer to the failure to achieve objectives efficiently or the occurrence of unwanted outcomes. It may also refer to the inability to exploit possible opportunities. Risk management - the formal identification, assessment and planned management of significant risks facing the organisation. Systems Audit - systems audit is the structured analysis of internal control in relation to the objectives of the organisation. Systems audit should enable internal audit to make practical recommendations to address any weaknesses that have been identified within the context of risks to the achievement of the system’s objectives. It should also enable internal audit to form an opinion on the adequacy and reliability of the organisation’s internal control system.

35

APPENDIX 2

International Standards for the Professional Practice of Internal Auditing

Introduction

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal audit activities are performed in diverse legal and cultural environments; within organizations that vary in purpose, size, complexity, and structure; and by persons within or outside the organization. While differences may affect the practice of internal auditing in each environment, compliance with the International Standards for the Professional Practice of Internal Auditing is essential if the responsibilities of internal auditors are to be met. If internal auditors are prohibited by laws or regulations from complying with certain parts of the Standards, they should comply with all other parts of the Standards and make appropriate disclosures.

Assurance services involve the internal auditor’s objective assessment of evidence to provide an independent opinion or conclusions regarding a process, system or other subject matter. The nature and scope of the assurance engagement are determined by the internal auditor. There are generally three parties involved in assurance services: (1) the person or group directly involved with the process, system or other subject matter – the process owner, (2) the person or group making the assessment – the internal auditor, and (3) the person or group using the assessment - the user.

Consulting services are advisory in nature, and are generally performed at the specific request of an engagement client. The nature and scope of the consulting engagement are subject to agreement with the engagement client. Consulting services generally involve two parties: (1) the person or group offering the advice – the internal auditor, and (2) the person or group seeking and receiving the advice – the engagement client. When performing consulting services the internal auditor should maintain objectivity and not assume management responsibility.

The purpose of the Standards is to:

1. Delineate basic principles that represent the practice of internal auditing as it should be.

2. Provide a framework for performing and promoting a broad range of value-added internal audit activities.

3. Establish the basis for the evaluation of internal audit performance. 4. Foster improved organizational processes and operations.

The Standards consist of Attribute Standards, Performance Standards, and Implementation Standards. The Attribute Standards address the characteristics of organizations and parties performing internal audit activities. The Performance Standards describe the nature of internal audit activities and

36

provide quality criteria against which the performance of these services can be evaluated. While the Attribute and Performance Standards apply to all internal audit services, the Implementation Standards apply to specific types of engagements.

There is one set of Attribute and Performance Standards, however, there are multiple sets of Implementation Standards: a set for each of the major types of internal audit activity. The Implementation Standards have been established for assurance (A) and consulting (C) activities.

The Standards are part of the Professional Practices Framework. The Professional Practices Framework includes the Definition of Internal Auditing, the Code of Ethics, the Standards, and other guidance. Guidance regarding how the Standards might be applied is included in Practice Advisories that are issued by the Professional Issues Committee.

The Standards employ terms that have been given specific meanings that are included in the Glossary.

The development and issuance of the Standards is an ongoing process. The Internal Auditing Standards Board engages in extensive consultation and discussion prior to the issuance of the Standards. This includes worldwide solicitation for public comment through the exposure draft process.

All exposure drafts are posted on The IIA’s Web site as well as being distributed to all IIA Affiliates. Suggestions and comments regarding the Standards can be sent to:

The Institute of Internal Auditors Global Practices Center, Professional Practices Group 247 Maitland Avenue Altamonte Springs, FL 32701-4201, USA E-mail: [email protected] Web: http://www.theiia.org

ATTRIBUTE STANDARDS

1000 – Purpose, Authority, and Responsibility

The purpose, authority, and responsibility of the internal audit activity should be formally defined in a charter, consistent with the Standards, and approved by the board.

1000.A1 - The nature of assurance services provided to the organization should be defined in the audit charter. If assurances are to be provided to parties outside the organization, the nature of these assurances should also be defined in the charter.

1000.C1 - The nature of consulting services should be defined in the audit charter.

1100 – Independence and Objectivity

The internal audit activity should be independent, and internal auditors should be objective in performing their work.

1110 – Organizational Independence

37

The chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.

1110.A1 - The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results.

1120 – Individual Objectivity

Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest.

1130 – Impairments to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment should be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.

1130.A1 – Internal auditors should refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.

1130.A2 – Assurance engagements for functions over which the chief audit executive has responsibility should be overseen by a party outside the internal audit activity.

1130.C1 - Internal auditors may provide consulting services relating to operations for which they had previous responsibilities.

1130.C2 - If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure should be made to the engagement client prior to accepting the engagement.

1200 – Proficiency and Due Professional Care

Engagements should be performed with proficiency and due professional care.

1210 – Proficiency

Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

1210.A1 - The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1210.A2 – The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

1210.A3 – Internal auditors should have knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

38

1210.C1 - The chief audit executive should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.

1220 - Due Professional Care

Internal auditors should apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

1220.A1 - The internal auditor should exercise due professional care by considering the:

• Extent of work needed to achieve the engagement's objectives. • Relative complexity, materiality, or significance of matters to which

assurance procedures are applied. • Adequacy and effectiveness of risk management, control, and

governance processes. • Probability of significant errors, irregularities, or noncompliance. • Cost of assurance in relation to potential benefits.

1220.A2 - In exercising due professional care the internal auditor should consider the use of computer-assisted audit tools and other data analysis techniques.

1220.A3 – The internal auditor should be alert to the significant risks that might affect objectives, operations, or resources. However, assurance procedures alone, even when performed with due professional care, do not guarantee that all significant risks will be identified.

1220.C1 - The internal auditor should exercise due professional care during a consulting engagement by considering the:

• Needs and expectations of clients, including the nature, timing, and communication of engagement results.

• Relative complexity and extent of work needed to achieve the engagement’s objectives.

• Cost of the consulting engagement in relation to potential benefits.

1230 – Continuing Professional Development

Internal auditors should enhance their knowledge, skills, and other competencies through continuing professional development.

1300 – Quality Assurance and Improvement Program

The chief audit executive should develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness. This program includes periodic internal and external quality assessments and ongoing internal monitoring. Each part of the program should be designed to help the internal auditing activity add value and improve the organization’s operations and to provide assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics.

39

1310 – Quality Program Assessments

The internal audit activity should adopt a process to monitor and assess the overall effectiveness of the quality program. The process should include both internal and external assessments.

1311 – Internal Assessments

Internal assessments should include:

• Ongoing reviews of the performance of the internal audit activity; and • Periodic reviews performed through self-assessment or by other persons within

the organization, with knowledge of internal audit practices and the Standards.

1312 – External Assessments

External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization.

1320 – Reporting on the Quality Program

The chief audit executive should communicate the results of external assessments to the board.

1330 – Use of "Conducted in Accordance with the Standards"

Internal auditors are encouraged to report that their activities are "conducted in accordance with the International Standards for the Professional Practice of Internal Auditing." However, internal auditors may use the statement only if assessments of the quality improvement program demonstrate that the internal audit activity is in compliance with the Standards.

1340 – Disclosure of Noncompliance

Although the internal audit activity should achieve full compliance with the Standards and internal auditors with the Code of Ethics, there may be instances in which full compliance is not achieved. When noncompliance impacts the overall scope or operation of the internal audit activity, disclosure should be made to senior management and the board.

PERFORMANCE STANDARDS

2000 – Managing the Internal Audit Activity

The chief audit executive should effectively manage the internal audit activity to ensure it adds value to the organization.

2010 – Planning

The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization's goals.

40

2010.A1 - The internal audit activity's plan of engagements should be based on a risk assessment, undertaken at least annually. The input of senior management and the board should be considered in this process.

2010.C1 - The chief audit executive should consider accepting proposed consulting engagements based on the engagement's potential to improve management of risks, add value, and improve the organization’s operations. Those engagements that have been accepted should be included in the plan.

2020 – Communication and Approval

The chief audit executive should communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to senior management and to the board for review and approval. The chief audit executive should also communicate the impact of resource limitations.

2030 – Resource Management

The chief audit executive should ensure that internal audit resources are appropriate, sufficient, and effectively deployed to achieve the approved plan.

2040 – Policies and Procedures

The chief audit executive should establish policies and procedures to guide the internal audit activity.

2050 – Coordination

The chief audit executive should share information and coordinate activities with other internal and external providers of relevant assurance and consulting services to ensure proper coverage and minimize duplication of efforts.

2060 – Reporting to the Board and Senior Management

The chief audit executive should report periodically to the board and senior management on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting should also include significant risk exposures and control issues, corporate governance issues, and other matters needed or requested by the board and senior management.

2100 – Nature of Work

The internal audit activity should evaluate and contribute to the improvement of risk management, control, and governance processes using a systematic and disciplined approach.

2110 – Risk Management

The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems.

2110.A1 - The internal audit activity should monitor and evaluate the effectiveness of the organization's risk management system.

41

2110.A2 - The internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the

• Reliability and integrity of financial and operational information. • Effectiveness and efficiency of operations. • Safeguarding of assets. • Compliance with laws, regulations, and contracts.

2110.C1 - During consulting engagements, internal auditors should address risk consistent with the engagement’s objectives and be alert to the existence of other significant risks.

2110.C2 – Internal auditors should incorporate knowledge of risks gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization.

2120 – Control

The internal audit activity should assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

2120.A1 - Based on the results of the risk assessment, the internal audit activity should evaluate the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems. This should include:

• Reliability and integrity of financial and operational information. • Effectiveness and efficiency of operations. • Safeguarding of assets. • Compliance with laws, regulations, and contracts.

2120.A2 - Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization.

2120.A3 - Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.

2120.A4 - Adequate criteria are needed to evaluate controls. Internal auditors should ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors should use such criteria in their evaluation. If inadequate, internal auditors should work with management to develop appropriate evaluation criteria.

2120.C1 - During consulting engagements, internal auditors should address controls consistent with the engagement’s objectives and be alert to the existence of any significant control weaknesses.

2120.C2 – Internal auditors should incorporate knowledge of controls gained from consulting engagements into the process of identifying and evaluating significant risk exposures of the organization.

2130 – Governance

42

The internal audit activity should assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

• Promoting appropriate ethics and values within the organization. • Ensuring effective organizational performance management and

accountability. • Effectively communicating risk and control information to appropriate areas

of the organization. • Effectively coordinating the activities of and communicating information

among the board, external and internal auditors and management.

2130.A1 – The internal audit activity should evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs and activities.

2130.C1 – Consulting engagement objectives should be consistent with the overall values and goals of the organization.

2200 – Engagement Planning

Internal auditors should develop and record a plan for each engagement, including the scope, objectives, timing and resource allocations.

2201 - Planning Considerations

In planning the engagement, internal auditors should consider:

• The objectives of the activity being reviewed and the means by which the activity controls its performance.

• The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level.

• The adequacy and effectiveness of the activity’s risk management and control systems compared to a relevant control framework or model.

• The opportunities for making significant improvements to the activity’s risk management and control systems.

2201.A1 – When planning an engagement for parties outside the organization, internal auditors should establish a written understanding with them about objectives, scope, respective responsibilities and other expectations, including restrictions on distribution of the results of the engagement and access to engagement records.

2201.C1 - Internal auditors should establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding should be documented.

2210 – Engagement Objectives

Objectives should be established for each engagement.

43

2210.A1 – Internal auditors should conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives should reflect the results of this assessment.

2210.A2 - The internal auditor should consider the probability of significant errors, irregularities, noncompliance, and other exposures when developing the engagement objectives.

2210.C1 – Consulting engagement objectives should address risks, controls, and governance processes to the extent agreed upon with the client.

2220 – Engagement Scope

The established scope should be sufficient to satisfy the objectives of the engagement.

2220.A1 - The scope of the engagement should include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.

2220.A2 - If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities and other expectations should be reached and the results of the consulting engagement communicated in accordance with consulting standards.

2220.C1 – In performing consulting engagements, internal auditors should ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If internal auditors develop reservations about the scope during the engagement, these reservations should be discussed with the client to determine whether to continue with the engagement.

2230 – Engagement Resource Allocation

Internal auditors should determine appropriate resources to achieve engagement objectives. Staffing should be based on an evaluation of the nature and complexity of each engagement, time constraints, and available resources.

2240 – Engagement Work Program

Internal auditors should develop work programs that achieve the engagement objectives. These work programs should be recorded.

2240.A1 - Work programs should establish the procedures for identifying, analyzing, evaluating, and recording information during the engagement. The work program should be approved prior to its implementation, and any adjustments approved promptly.

2240.C1 - Work programs for consulting engagements may vary in form and content depending upon the nature of the engagement.

2300 – Performing the Engagement

Internal auditors should identify, analyze, evaluate, and record sufficient information to achieve the engagement's objectives.

2310 – Identifying Information

44

Internal auditors should identify sufficient, reliable, relevant, and useful information to achieve the engagement’s objectives.

2320 – Analysis and Evaluation

Internal auditors should base conclusions and engagement results on appropriate analyses and evaluations.

2330 – Recording Information

Internal auditors should record relevant information to support the conclusions and engagement results.

2330.A1 - The chief audit executive should control access to engagement records. The chief audit executive should obtain the approval of senior management and/or legal counsel prior to releasing such records to external parties, as appropriate.

2330.A2 - The chief audit executive should develop retention requirements for engagement records. These retention requirements should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

2330.C1 - The chief audit executive should develop policies governing the custody and retention of engagement records, as well as their release to internal and external parties. These policies should be consistent with the organization’s guidelines and any pertinent regulatory or other requirements.

2340 – Engagement Supervision

Engagements should be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.

2400 – Communicating Results

Internal auditors should communicate the engagement results.

2410 – Criteria for Communicating

Communications should include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans.

2410.A1 – Final communication of engagement results should, where appropriate, contain the internal auditor’s overall opinion and or conclusions.

2410.A2 – Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications.

2410.A3 – When releasing engagement results to parties outside the organization, the communication should include limitations on distribution and use of the results.

2410.C1 – Communication of the progress and results of consulting engagements will vary in form and content depending upon the nature of the engagement and the needs of the client.

2420 – Quality of Communications

45

Communications should be accurate, objective, clear, concise, constructive, complete, and timely.

2421 – Errors and Omissions

If a final communication contains a significant error or omission, the chief audit executive should communicate corrected information to all parties who received the original communication.

2430 – Engagement Disclosure of Noncompliance with the Standards

When noncompliance with the Standards impacts a specific engagement, communication of the results should disclose the:

• Standard(s) with which full compliance was not achieved, • Reason(s) for noncompliance, and • Impact of noncompliance on the engagement.

2440 – Disseminating Results

The chief audit executive should communicate results to the appropriate parties.

2440.A1 - The chief audit executive is responsible for communicating the final results to parties who can ensure that the results are given due consideration.

2440.A2 - If not otherwise mandated by legal, statutory or regulatory requirements, prior to releasing results to parties outside the organization, the chief audit executive should:

• Assess the potential risk to the organization. • Consult with senior management and/or legal counsel as appropriate • Control dissemination by restricting the use of the results.

2440.C1 - The chief audit executive is responsible for communicating the final results of consulting engagements to clients.

2440.C2 – During consulting engagements, risk management, control, and governance issues may be identified. Whenever these issues are significant to the organization, they should be communicated to senior management and the board.

2500 – Monitoring Progress

The chief audit executive should establish and maintain a system to monitor the disposition of results communicated to management.

2500.A1 - The chief audit executive should establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action.

2500.C1 – The internal audit activity should monitor the disposition of results of consulting engagements to the extent agreed upon with the client.

2600 – Resolution of Management’s Acceptance of Risks

46

When the chief audit executive believes that senior management has accepted a level of residual risk that may be unacceptable to the organization, the chief audit executive should discuss the matter with senior management. If the decision regarding residual risk is not resolved, the chief audit executive and senior management should report the matter to the board for resolution.

Glossary

Add Value – Value is provided by improving opportunities to achieve organizational objectives, identifying operational improvement, and/or reducing risk exposure through both assurance and consulting services.

Adequate Control - Present if management has planned and organized (designed) in a manner that provides reasonable assurance that the organization's risks have been managed effectively and that the organization’s goals and objectives will be achieved efficiently and economically.

Assurance Services - An objective examination of evidence for the purpose of providing an independent assessment on risk management, control, or governance processes for the organization. Examples may include financial, performance, compliance, system security, and due diligence engagements.

Board – A board is an organization’s governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a non profit organization, or any other designated body of the organization, including the audit committee, to whom the chief audit executive may functionally report.

Charter - The charter of the internal audit activity is a formal written document that defines the activity’s purpose, authority, and responsibility. The charter should (a) establish the internal audit activity’s position within the organization; (b) authorize access to records, personnel, and physical properties relevant to the performance of engagements; and (c) define the scope of internal audit activities.

Chief Audit Executive - Top position within the organization responsible for internal audit activities. Normally, this would be the internal audit director. In the case where internal audit activities are obtained from outside service providers, the chief audit executive is the person responsible for overseeing the service contract and the overall quality assurance of these activities, reporting to senior management and the board regarding internal audit activities, and follow–up of engagement results. The term also includes such titles as general auditor, chief internal auditor, and inspector general.

Code of Ethics – The Code of Ethics of The Institute of Internal Auditors (IIA) are Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe behavior expected of internal auditors. The Code of Ethics applies to both parties and entities that provide internal audit services. The purpose of the Code of Ethics is to promote an ethical culture in the global profession of internal auditing.

Compliance – Conformity and adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.

Conflict of Interest - Any relationship that is or appears to be not in the best interest of the organization. A conflict of interest would prejudice an individual’s ability to perform his or her duties and responsibilities objectively.

47

Consulting Services – Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.

Control - Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Control Environment - The attitude and actions of the board and management regarding the significance of control within the organization. The control environment provides the discipline and structure for the achievement of the primary objectives of the system of internal control. The control environment includes the following elements:

• Integrity and ethical values. • Management’s philosophy and operating style. • Organizational structure. • Assignment of authority and responsibility. • Human resource policies and practices. • Competence of personnel.

Control Processes - The policies, procedures, and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the risk management process.

Engagement – A specific internal audit assignment, task, or review activity, such as an internal audit, Control Self-Assessment review, fraud examination, or consultancy. An engagement may include multiple tasks or activities designed to accomplish a specific set of related objectives.

Engagement Objectives - Broad statements developed by internal auditors that define intended engagement accomplishments.

Engagement Work Program - A document that lists the procedures to be followed during an engagement, designed to achieve the engagement plan.

External Service Provider - A person or firm, outside of the organization, who has special knowledge, skill, and experience in a particular discipline.

Fraud - Any illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage.

Governance – The combination of processes and structures implemented by the board in order to inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives.

48

Impairments - Impairments to individual objectivity and organizational independence may include personal conflicts of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations (funding).

Independence - The freedom from conditions that threaten objectivity or the appearance of objectivity. Such threats to objectivity must be managed at the individual auditor, engagement, functional and organizational levels.

Internal Audit Activity – A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization's operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Objectivity - An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Objectivity requires internal auditors not to subordinate their judgment on audit matters to that of others.

Residual Risks – The risk remaining after management takes action to reduce the impact and likelihood of an adverse event, including control activities in responding to a risk.

Risk - The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

Risk Management– A process to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization’s objectives.

Should – The use of the word “should” in the Standards represents a mandatory obligation.

Standard – A professional pronouncement promulgated by the Internal Auditing Standards Board that delineates the requirements for performing a broad range of internal audit activities, and for evaluating internal audit performance.

49

Appendix II Monday, June 15, 2009 4:16 PM

GOU Manual

Documents

Transcript of GOU Manual